Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Overview

General Information

Sample name:ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
Analysis ID:1561806
MD5:d845db29c963e1314bdad5ae0e8363b4
SHA1:29192740a48fd5e65e79cf8e32d129d9c0b84df1
SHA256:cbd238f60cc3c1a95155ae46d88eeda33c8dfa1ee5093e22aa1dcf80d5965987
Tags:msiuser-JAMESWT_MHT
Infos:

Detection

AteraAgent
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7472 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7552 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7628 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BEDEEE6C5E800683486D45882C70B787 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7668 cmdline: rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7740 cmdline: rundll32.exe "C:\Windows\Installer\MSI1766.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5969828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7828 cmdline: rundll32.exe "C:\Windows\Installer\MSI2D41.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5975390 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 1848 cmdline: rundll32.exe "C:\Windows\Installer\MSI489E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982406 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7880 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 7920 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7964 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 7988 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIADAP.exe (PID: 7988 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
    • AteraAgent.exe (PID: 8072 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4" MD5: 477293F80461713D51A98A24023D45E8)
  • AteraAgent.exe (PID: 7292 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 5472 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 3376 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 1592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 4216 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7732 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DF31BE93D7FB3585D0.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DFBEDEA443DEFE141C.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Temp\~DF906A73D282F9BD42.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Temp\~DFD7B20DF7F70954E9.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 14 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000017.00000002.2206503993.000001DA9D403000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000000D.00000002.1516184383.0000014C228FB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000019.00000002.2365662258.000001CAEF8E0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000019.00000002.2365662258.000001CAEF92B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 88 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      19.0.AgentPackageAgentInformation.exe.177486b0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        19.0.AgentPackageAgentInformation.exe.177486b0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          19.2.AgentPackageAgentInformation.exe.17748cc0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            13.0.AteraAgent.exe.14c07ff0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security

                              Sigma Signatures

                              Sigma detected: Net.exe Execution
                              Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7880, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7920, ProcessName: net.exe
                              Sigma detected: Stop Windows Service Via Net.EXE
                              Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7880, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7920, ProcessName: net.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-11-24T11:15:46.062964+010028033053Unknown Traffic192.168.2.94978913.232.67.198443TCP
                              2024-11-24T11:16:30.938796+010028033053Unknown Traffic192.168.2.94989413.232.67.198443TCP
                              2024-11-24T11:16:41.911699+010028033053Unknown Traffic192.168.2.94992313.232.67.198443TCP
                              2024-11-24T11:16:48.684372+010028033053Unknown Traffic192.168.2.94994313.232.67.198443TCP
                              2024-11-24T11:16:54.331468+010028033053Unknown Traffic192.168.2.94996313.232.67.198443TCP
                              2024-11-24T11:16:57.658744+010028033053Unknown Traffic192.168.2.94997213.232.67.198443TCP
                              2024-11-24T11:17:05.660354+010028033053Unknown Traffic192.168.2.95000413.232.67.198443TCP
                              2024-11-24T11:17:11.298785+010028033053Unknown Traffic192.168.2.95002213.232.67.198443TCP
                              2024-11-24T11:17:17.721985+010028033053Unknown Traffic192.168.2.95006113.232.67.198443TCP
                              2024-11-24T11:17:23.708140+010028033053Unknown Traffic192.168.2.95007313.232.67.198443TCP
                              2024-11-24T11:17:31.115013+010028033053Unknown Traffic192.168.2.95008313.232.67.198443TCP
                              2024-11-24T11:17:34.564302+010028033053Unknown Traffic192.168.2.95009013.232.67.198443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                              Multi AV Scanner detection for submitted file
                              Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msiReversingLabs: Detection: 26%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.3% probability
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49768 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49769 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.12:443 -> 192.168.2.9:49792 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49904 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49942 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49943 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49983 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49985 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50004 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50043 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50044 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50047 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50048 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50049 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50051 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50050 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50067 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50068 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50073 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50086 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50089 version: TLS 1.2
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1446980607.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.PDBrb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb% source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb( source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.14.dr
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb2 source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, MSI2FB3.tmp.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr
                              Source: Binary string: bHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbotm source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006DD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.PDBkd source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbCultur source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nC:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdbQ source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\System.pdb} source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nC:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: eHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb(cyv source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI2D41.tmp.2.dr, MSI1264.tmp.2.dr, 5b113b.msi.2.dr, MSI489E.tmp.2.dr, 5b113d.msi.2.dr, MSI1766.tmp.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb Cul source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000005.00000003.1444045873.0000000006E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: c:
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF886A01FFFh13_2_00007FF886A01FAC
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF886A01873h13_2_00007FF886A0172D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF886A01A44h13_2_00007FF886A01A35
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF886A0B972h14_2_00007FF886A0B5E7
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF8869F4ECBh14_2_00007FF8869F4E6B
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF886A0B972h14_2_00007FF886A0B620
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF8869F227Bh14_2_00007FF8869F225D

                              Networking

                              barindex
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.177486b0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680 HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=409cd075-04de-411d-8e74-cc204daabc39&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9401654a-318b-4070-93c4-7e976e6983d7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f1a24d2c-ba5b-4f09-8ec6-e6a721939c6c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=70950088-2434-4193-ae45-e02cd33c7b05&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f891ad-5bb8-448f-80e4-1f3374b27f0a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=333b9046-7952-41dc-bdec-09303be50cd7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7a698f03-89f8-46f9-b174-e35a78aa0274&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f92af507-a9f2-4685-b0f4-6803537136b8&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c5270a6-0d03-478f-9521-4fd0a22c23ee&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d98288cb-7af6-4190-8ccc-d63bc9858741&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8c6407e7-1c76-4c34-98c8-2e3504ec6917&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=969880c8-517d-439a-8ec9-8324c81e878e&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b7ef6ec-f467-4166-9556-35fba301ea49&tr=31&tt=17324434479667468&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49789 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49894 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49972 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49923 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49963 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49943 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50004 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50061 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50073 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50083 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50022 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50090 -> 13.232.67.198:443
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680 HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=409cd075-04de-411d-8e74-cc204daabc39&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9401654a-318b-4070-93c4-7e976e6983d7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f1a24d2c-ba5b-4f09-8ec6-e6a721939c6c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=70950088-2434-4193-ae45-e02cd33c7b05&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f891ad-5bb8-448f-80e4-1f3374b27f0a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=333b9046-7952-41dc-bdec-09303be50cd7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7a698f03-89f8-46f9-b174-e35a78aa0274&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f92af507-a9f2-4685-b0f4-6803537136b8&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c5270a6-0d03-478f-9521-4fd0a22c23ee&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d98288cb-7af6-4190-8ccc-d63bc9858741&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8c6407e7-1c76-4c34-98c8-2e3504ec6917&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=969880c8-517d-439a-8ec9-8324c81e878e&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b7ef6ec-f467-4166-9556-35fba301ea49&tr=31&tt=17324434479667468&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: agent-api.atera.com
                              Source: global trafficDNS traffic detected: DNS query: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: ps.atera.com
                              Source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.drString found in binary or memory: http://acontrol.atera.com/
                              Source: rundll32.exe, 00000005.00000002.1445956864.00000000044F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004395000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.00000177491EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D4BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA8012F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                              Source: rundll32.exe, 00000005.00000002.1445956864.00000000044F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004395000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.00000177491EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D4BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA8012F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                              Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: F2E248BEDDBB2D85122423C41028BFD40.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5C2A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08D5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF0900000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.14.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                              Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ciCertTrustedimeStampingCA.cr0$
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                              Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlA
                              Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlM
                              Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crle
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl5
                              Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                              Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crll
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlp
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crls
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabomI
                              Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enb
                              Source: AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.drString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                              Source: Newtonsoft.Json.dll.17.drString found in binary or memory: http://james.newtonking.com/projects/json
                              Source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.micros
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE05000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                              Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
                              Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE2D000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                              Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5C2A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08D5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF0900000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.14.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, MSI30EE.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, MSI2FB3.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0K
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0N
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, MSI2FB3.tmp.2.dr, Newtonsoft.Json.dll.17.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09C79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                              Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80;
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                              Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlh
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480534000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                              Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                              Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                              Source: rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: http://wixtoolset.org
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.drString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.drString found in binary or memory: http://wixtoolset.org/releases/
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                              Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.PrZ
                              Source: rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com/
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Pro
                              Source: AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                              Source: AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294807A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesNENTIALBACKOFF
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesected.
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesiChannelSubscribeRequestk.server.
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesibe
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactory/sub-c-a02ceca8-a958-1
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactorya02ceca8-a958-11e5-bd8
                              Source: rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                              Source: System.ValueTuple.dll.2.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                              Source: System.ValueTuple.dll.2.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                              Source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.drString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/26.3/AgentPackageProgramManageme
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294807A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294807AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480534000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948036C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948008E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948069B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd
                              Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drString found in binary or memory: https://www.newtonsoft.com/json
                              Source: Newtonsoft.Json.dll.17.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                              Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50062
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50068 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50068
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49964 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50086 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49768 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49769 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.12:443 -> 192.168.2.9:49792 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49904 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49942 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49943 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49983 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49985 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50004 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50043 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50044 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50047 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50048 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50049 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50051 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50050 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50067 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50068 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50073 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50086 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50089 version: TLS 1.2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Reads the Security eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Reads the System eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess Stats: CPU usage > 49%
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b113b.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1264.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1766.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2D41.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FB3.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FC4.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3022.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EE.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b113d.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5b113d.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI489E.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\CustomAction.configJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\CustomAction.config
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI1264.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_068776785_3_06877678
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_068700405_3_06870040
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_072C59A86_3_072C59A8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_072C50B86_3_072C50B8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_072C4D686_3_072C4D68
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF886A0C92213_2_00007FF886A0C922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF886A0BB7613_2_00007FF886A0BB76
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF8869F0D4214_2_00007FF8869F0D42
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886A0900E14_2_00007FF886A0900E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886C0E73C14_2_00007FF886C0E73C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886C0B0B914_2_00007FF886C0B0B9
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886C110E214_2_00007FF886C110E2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886C093FA14_2_00007FF886C093FA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886C0695014_2_00007FF886C06950
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886C1160814_2_00007FF886C11608
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_066B004017_3_066B0040
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_066B71D017_3_066B71D0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A278D619_2_00007FF886A278D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A2182819_2_00007FF886A21828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A3100A19_2_00007FF886A3100A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A2868219_2_00007FF886A28682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A4047D19_2_00007FF886A4047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A2FA9419_2_00007FF886A2FA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A310C019_2_00007FF886A310C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A2BDB019_2_00007FF886A2BDB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF886A212FB19_2_00007FF886A212FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A1108C23_2_00007FF886A1108C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A078D623_2_00007FF886A078D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A0182823_2_00007FF886A01828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A0868223_2_00007FF886A08682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A2047D23_2_00007FF886A2047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A0FA9423_2_00007FF886A0FA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A110C023_2_00007FF886A110C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A0BDB023_2_00007FF886A0BDB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF886A012FB23_2_00007FF886A012FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FF886A178D625_2_00007FF886A178D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FF886A1868225_2_00007FF886A18682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FF886A3047D25_2_00007FF886A3047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FF886A1FA9425_2_00007FF886A1FA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FF886A210C025_2_00007FF886A210C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FF886A1BDB025_2_00007FF886A1BDB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FF886A112FA25_2_00007FF886A112FA
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                              Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
                              Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
                              Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msiBinary or memory string: OriginalFilenamewixca.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                              Source: AteraAgent.exe.2.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                              Source: classification engineClassification label: mal88.troj.spyw.evad.winMSI@38/85@12/2
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1592:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMutant created: NULL
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7504:120:WilError_03
                              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
                              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
                              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
                              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5520:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF5892DD4D99EE3C15.TMPJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\wbem\WMIADAP.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                              Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msiReversingLabs: Detection: 26%
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi"
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BEDEEE6C5E800683486D45882C70B787
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1766.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5969828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D41.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5975390 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"
                              Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI489E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982406 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BEDEEE6C5E800683486D45882C70B787Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1766.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5969828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D41.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5975390 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI489E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982406 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cabinet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                              Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msiStatic file information: File size 2994176 > 1048576
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1446980607.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.PDBrb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb% source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb( source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.14.dr
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb2 source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, MSI2FB3.tmp.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr
                              Source: Binary string: bHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbotm source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006DD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.PDBkd source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbCultur source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nC:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdbQ source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\System.pdb} source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nC:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: eHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb(cyv source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI2D41.tmp.2.dr, MSI1264.tmp.2.dr, 5b113b.msi.2.dr, MSI489E.tmp.2.dr, 5b113d.msi.2.dr, MSI1766.tmp.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb Cul source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000005.00000003.1444045873.0000000006E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
                              Source: BouncyCastle.Crypto.dll.2.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                              Source: MSI1264.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: MSI489E.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: MSI2D41.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440A228 pushfd ; ret 5_3_0440A3C0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_044057B8 push es; ret 5_3_04405840
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440EECC push ss; iretd 5_3_0440EF5B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440EECC push ss; iretd 5_3_0440EF6B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440EECC push ss; iretd 5_3_0440EF7B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440EECC push ss; iretd 5_3_0440EFA3
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440EECC push ss; iretd 5_3_0440EFB3
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440EECC push ss; iretd 5_3_0440EFC3
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440EECC push ss; iretd 5_3_0440EFD3
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04404E90 push es; ret 5_3_04404EA0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B418 push ecx; iretd 5_3_0440B453
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B4F7 push ecx; iretd 5_3_0440B51B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B4F7 push ecx; iretd 5_3_0440B52B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B4F7 push eax; iretd 5_3_0440B55B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B4F7 push eax; iretd 5_3_0440B57B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B48F push ecx; iretd 5_3_0440B493
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B494 push ecx; iretd 5_3_0440B4B3
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B494 push ecx; iretd 5_3_0440B4C3
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440576F push es; ret 5_3_04405840
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B1D0 push esp; iretd 5_3_0440B213
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B1D0 push esp; iretd 5_3_0440B223
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B27C push ebx; iretd 5_3_0440B28B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_0440B27C push ebx; iretd 5_3_0440B29B
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04405870 push es; ret 5_3_044058C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF8869FC65D push ds; ret 14_2_00007FF886A4E02F
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886C00F64 push eax; ret 14_2_00007FF886C00F94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF886C1411C pushad ; iretd 14_2_00007FF886C1411D
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_042857B8 push es; ret 17_3_04285840
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04284E90 push es; ret 17_3_04284EA0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04286880 push es; ret 17_3_04286890
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04286BF1 push es; ret 17_3_04286C00

                              Persistence and Installation Behavior

                              barindex
                              Creates files in the system32 config directory
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EE.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI489E.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1766.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2D41.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FC4.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3022.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1264.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1766.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2D41.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FC4.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EE.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI489E.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3022.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1264.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 14C08340000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 14C21EA0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 294E9FD0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 294EA180000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 17748900000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 177610C0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1DA9CE00000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1DAB5390000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1CAEFB60000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1CAF0040000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3413
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6218
                              Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 853
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI30EE.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FC4.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3022.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 7776Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8140Thread sleep time: -60000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8092Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3816Thread sleep count: 3413 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2700Thread sleep count: 6218 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3868Thread sleep time: -27670116110564310s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3868Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 764Thread sleep count: 49 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 764Thread sleep time: -490000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3716Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1876Thread sleep time: -180000s >= -30000s
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 1900Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1868Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2036Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4944Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4700Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7868Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7832Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 8012Thread sleep count: 853 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: AgentPackageAgentInformation.exe.14.drBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                              Source: AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5BFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
                              Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`^
                              Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWo
                              Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09C79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
                              Source: AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="lauraclima92@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000maueiiap" /agentid="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="lauraclima92@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000maueiiap" /agentid="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

                              Remote Access Functionality

                              barindex
                              Yara detected AteraAgent
                              Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.177486b0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.2.AgentPackageAgentInformation.exe.17748cc0000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 13.0.AteraAgent.exe.14c07ff0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000017.00000002.2206503993.000001DA9D403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1516184383.0000014C228FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2365662258.000001CAEF8E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2365662258.000001CAEF92B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1514461483.0000014C08440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1735966351.0000017748910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1515070102.0000014C09F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2365662258.000001CAEF8A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2366838259.000001CAF0860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1515070102.0000014C09F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.000002948006E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1513193634.0000014C080CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1515070102.0000014C0A01C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.0000029480702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1516159547.0000014C22890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2205662443.000001DA9CBD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2206503993.000001DA9D3D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2631705568.00000294EAA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2205662443.000001DA9CBF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2630403750.00000294E9A78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2205662443.000001DA9CC0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1736416646.0000017748BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2205662443.000001DA9CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2205662443.000001DA9CC10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1513193634.0000014C080E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2366618676.000001CAEFB70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1735966351.0000017748963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2205522551.000001DA9CB60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1515070102.0000014C09F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1515070102.0000014C09FD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2630403750.00000294E9AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1513193634.0000014C080A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2364172083.000001CA80047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2365662258.000001CAEF8A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1513193634.0000014C080A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1735966351.0000017748955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2630000184.00000294E98B0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2364172083.000001CA80073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1735966351.00000177489A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2206503993.000001DA9D413000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2364172083.000001CA80083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2620087046.000000C589D95000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2630233935.00000294E9A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1516958239.00007FF886A94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2365662258.000001CAEF8DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2630403750.00000294E9A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1737064202.0000017749133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2206503993.000001DA9D391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000E.00000002.2630403750.00000294E9AF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1515070102.0000014C09F2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2205662443.000001DA9CC55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1737064202.00000177490C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2364172083.000001CA80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1515070102.0000014C09EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7740, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7828, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 8072, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7292, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3376, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4216, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7732, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF31BE93D7FB3585D0.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFBEDEA443DEFE141C.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF906A73D282F9BD42.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFD7B20DF7F70954E9.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF5892DD4D99EE3C15.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\5b113c.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF552422D476BA62BF.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI2FB3.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Replication Through Removable Media                              		121
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		21
                              Disable or Modify Tools                              		OS Credential Dumping11
                              Peripheral Device Discovery                              		Remote Services11
                              Archive Collected Data                              		1
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Command and Scripting Interpreter                              		21
                              Windows Service                              		21
                              Windows Service                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory2
                              File and Directory Discovery                              		Remote Desktop ProtocolData from Removable Media11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts11
                              Service Execution                              		Logon Script (Windows)11
                              Process Injection                              		21
                              Obfuscated Files or Information                              		Security Account Manager24
                              System Information Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive2
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              Timestomp                              		NTDS1
                              Query Registry                              		Distributed Component Object ModelInput Capture3
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets211
                              Security Software Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              File Deletion                              		Cached Domain Credentials1
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items122
                              Masquerading                              		DCSync141
                              Virtualization/Sandbox Evasion                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Modify Registry                              		Proc Filesystem1
                              Application Window Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
                              Virtualization/Sandbox Evasion                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                              Process Injection                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                              Rundll32                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561806 Sample: ReceitaFederal-consulta-yFZ... Startdate: 24/11/2024 Architecture: WINDOWS Score: 88 97 windowsupdatebg.s.llnwi.net 2->97 99 ps.pndsn.com 2->99 101 6 other IPs or domains 2->101 107 Multi AV Scanner detection for dropped file 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 Yara detected AteraAgent 2->111 113 3 other signatures 2->113 9 msiexec.exe 82 43 2->9         started        12 AteraAgent.exe 2->12         started        16 msiexec.exe 5 2->16         started        signatures3 process4 dnsIp5 81 C:\Windows\Installer\MSI489E.tmp, PE32 9->81 dropped 83 C:\Windows\Installer\MSI2D41.tmp, PE32 9->83 dropped 85 C:\Windows\Installer\MSI1766.tmp, PE32 9->85 dropped 95 20 other files (17 malicious) 9->95 dropped 18 AteraAgent.exe 6 13 9->18         started        22 msiexec.exe 9->22         started        24 msiexec.exe 9->24         started        103 d25btwd9wax8gu.cloudfront.net 108.158.75.12, 443, 49792 AMAZON-02US United States 12->103 105 ps.pndsn.com 13.232.67.198, 443, 49768, 49769 AMAZON-02US United States 12->105 87 C:\...87ewtonsoft.Json.dll, PE32 12->87 dropped 89 C:\...\Atera.AgentPackage.Common.dll, PE32 12->89 dropped 91 C:\...\AgentPackageAgentInformation.exe, PE32 12->91 dropped 93 AgentPackageAgentInformation.exe.config, XML 12->93 dropped 121 Creates files in the system32 config directory 12->121 123 Reads the Security eventlog 12->123 125 Reads the System eventlog 12->125 26 AgentPackageAgentInformation.exe 12->26         started        28 sc.exe 12->28         started        30 AgentPackageAgentInformation.exe 12->30         started        32 AgentPackageAgentInformation.exe 12->32         started        file6 signatures7 process8 file9 59 C:\Windows\System32\InstallUtil.InstallLog, Unicode 18->59 dropped 61 C:\...\AteraAgent.InstallLog, Unicode 18->61 dropped 115 Creates files in the system32 config directory 18->115 117 Reads the Security eventlog 18->117 119 Reads the System eventlog 18->119 34 rundll32.exe 15 9 22->34         started        37 rundll32.exe 7 22->37         started        39 rundll32.exe 8 22->39         started        41 rundll32.exe 22->41         started        51 3 other processes 24->51 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        signatures10 process11 file12 63 C:\...\AlphaControlAgentInstallation.dll, PE32 34->63 dropped 73 3 other files (none is malicious) 34->73 dropped 65 C:\...\AlphaControlAgentInstallation.dll, PE32 37->65 dropped 75 3 other files (none is malicious) 37->75 dropped 67 C:\...\AlphaControlAgentInstallation.dll, PE32 39->67 dropped 77 3 other files (none is malicious) 39->77 dropped 69 C:\...\AlphaControlAgentInstallation.dll, PE32 41->69 dropped 71 C:\Windows\...\System.Management.dll, PE32 41->71 dropped 79 2 other files (none is malicious) 41->79 dropped 53 conhost.exe 51->53         started        55 conhost.exe 51->55         started        57 net1.exe 1 51->57         started        process13

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi26%ReversingLabsWin32.Trojan.Atera

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.Trojan.Atera
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1264.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1264.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1766.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1766.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI2D41.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI2FC4.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI3022.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI30EE.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI489E.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI489E.tmp-\System.Management.dll0%ReversingLabs

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://ciCertTrustedimeStampingCA.cr0$0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ps.pndsn.com
                              		13.232.67.198
                              		truefalse
                                		high
                                bg.microsoft.map.fastly.net
                                		199.232.214.172
                                		truefalse
                                  		high
                                  d25btwd9wax8gu.cloudfront.net
                                  		108.158.75.12
                                  		truefalse
                                    		unknown
                                    fp2e7a.wpc.phicdn.net
                                    		192.229.221.95
                                    		truefalse
                                      		high
                                      windowsupdatebg.s.llnwi.net
                                      		178.79.238.0
                                      		truefalse
                                        		high
                                        ps.atera.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          agent-api.atera.com
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                              		high
                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                		high
                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                  		high
                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                    		high
                                                    https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                      		high
                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                        		high
                                                        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                          		high
                                                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                            		high
                                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                              		high
                                                              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                		high
                                                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                  		high
                                                                  https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                    		high
                                                                    https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                      		high
                                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                        		high
                                                                        https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                          		high
                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                            		high
                                                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                              		high
                                                                              https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                                		high
                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                                  		high
                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680false
                                                                                    		high
                                                                                    https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                                      		high
                                                                                      https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                                        		high
                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4false
                                                                                          		high

                                                                                          URLs from Memory and Binaries

                                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.datacontract.orgAteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zipAteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://agent-api.atera.com/Production/Agent/GetRecurringPackagesected.AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactory/sub-c-a02ceca8-a958-1AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.drfalse
                                                                                                                    		high
                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://agent-api.atera.com/Production/Agent/rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                          		high
                                                                                                                          http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://wixtoolset.orgrundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.drfalse
                                                                                                                              		high
                                                                                                                              https://agent-api.atera.com/ProductionAgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://acontrol.atera.com/AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.drfalse
                                                                                                                                      		high
                                                                                                                                      https://ps.pndsn.comAteraAgent.exe, 0000000E.00000002.2623775013.00000294807AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480534000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948036C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948008E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7AteraAgent.exe, 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactorya02ceca8-a958-11e5-bd8AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscoveAteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://agent-api.atera.comrundll32.exe, 00000005.00000002.1445956864.00000000044F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004395000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.00000177491EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D4BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA8012F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619AteraAgent.exe, 0000000E.00000002.2623775013.000002948069B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://agent-api.atera.com/Production/Agent/GetRecurrinAteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.datacontract.org/2004/07/AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://github.com/icsharpcode/SharpZipLibAteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentIAteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://ciCertTrustedimeStampingCA.cr0$AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://agent-api.atera.comrundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/AgentStartingAteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://www.w3.ohAteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294807A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480368000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://agent-api.atera.com/rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://agent-api.atera.com/Production/Agent/GetRecurringPackagesAteraAgent.exe, 0000000E.00000002.2623775013.0000029480374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zipAteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.17.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://agent-api.atera.com/Production/Agent/GetRecurringPackagesiChannelSubscribeRequestk.server.AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.zAteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aefAteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://www.newtonsoft.com/jsonrundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.drfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.drfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbfSystem.ValueTuple.dll.2.drfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformationAteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      https://agent-api.aterDrundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://agent-api.atera.com/ProAteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                              https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                  13.232.67.198
                                                                                                                                                                                                                                                  		ps.pndsn.comUnited States
                                                                                                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                                                                                                  108.158.75.12
                                                                                                                                                                                                                                                  		d25btwd9wax8gu.cloudfront.netUnited States
                                                                                                                                                                                                                                                  		16509AMAZON-02USfalse

                                                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                  Analysis ID:1561806
                                                                                                                                                                                                                                                  Start date and time:2024-11-24 11:14:18 +01:00
                                                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                  Overall analysis duration:0h 10m 7s
                                                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                  Number of analysed new started processes analysed:28
                                                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                                                  Sample name:ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
                                                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                                                  Classification:mal88.troj.spyw.evad.winMSI@38/85@12/2
                                                                                                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                                                  • Successful, ratio: 72%
                                                                                                                                                                                                                                                  • Number of executed functions: 437
                                                                                                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                                                  • Found application associated with file extension: .msi

                                                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 40.119.152.241, 192.229.221.95, 178.79.238.0, 199.232.214.172
                                                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): crl.edge.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, cacerts.digicert.com, agentsapi.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, atera-agent-api-eu.westeurope.cloudapp.azure.com, ocsp.edge.digicert.com, crl3.digicert.com, crl4.digicert.com, wu-b-net.trafficmanager.net
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 3376 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 4216 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7732 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AteraAgent.exe, PID 7292 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AteraAgent.exe, PID 8072 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 1848 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 7668 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 7740 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 7828 because it is empty
                                                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                                  • VT rate limit hit for: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

                                                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                                                  05:15:25API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                                  05:15:30API Interceptor2063522x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                                  05:15:54API Interceptor3x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                                  10:15:08Task SchedulerRun new task: {584141A0-F27C-4B91-A946-3612F20359A1} path:

                                                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  ps.pndsn.comBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.227
                                                                                                                                                                                                                                                  9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.229
                                                                                                                                                                                                                                                  Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.229
                                                                                                                                                                                                                                                  Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.227
                                                                                                                                                                                                                                                  forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.228
                                                                                                                                                                                                                                                  VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.227
                                                                                                                                                                                                                                                  2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.229
                                                                                                                                                                                                                                                  2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 54.175.191.204
                                                                                                                                                                                                                                                  Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 54.175.191.203
                                                                                                                                                                                                                                                  https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 54.175.191.203
                                                                                                                                                                                                                                                  d25btwd9wax8gu.cloudfront.netBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 18.245.46.47
                                                                                                                                                                                                                                                  9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 13.35.58.104
                                                                                                                                                                                                                                                  Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 99.86.114.21
                                                                                                                                                                                                                                                  Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 18.66.112.74
                                                                                                                                                                                                                                                  forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 18.66.112.49
                                                                                                                                                                                                                                                  VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 143.204.68.99
                                                                                                                                                                                                                                                  2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 3.165.136.99
                                                                                                                                                                                                                                                  2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 99.84.160.56
                                                                                                                                                                                                                                                  Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 108.139.47.50
                                                                                                                                                                                                                                                  https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 108.139.47.50
                                                                                                                                                                                                                                                  bg.microsoft.map.fastly.netzapret.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                                  canva.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  4yOuoT4GFy.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                                  6xQ8CMUaES.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                                  17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 146.75.30.172

                                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                  • 13.245.101.151
                                                                                                                                                                                                                                                  santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.221.243
                                                                                                                                                                                                                                                  VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 76.223.74.74
                                                                                                                                                                                                                                                  arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 3.122.148.244
                                                                                                                                                                                                                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 13.223.155.145
                                                                                                                                                                                                                                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 18.243.54.8
                                                                                                                                                                                                                                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 15.206.178.249
                                                                                                                                                                                                                                                  AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                  • 13.245.101.151
                                                                                                                                                                                                                                                  santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.221.243
                                                                                                                                                                                                                                                  VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 76.223.74.74
                                                                                                                                                                                                                                                  arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 3.122.148.244
                                                                                                                                                                                                                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 13.223.155.145
                                                                                                                                                                                                                                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 18.243.54.8
                                                                                                                                                                                                                                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 15.206.178.249

                                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  CargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.12
                                                                                                                                                                                                                                                  • 13.232.67.198

                                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exesetup (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    BOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      LaudoBombeirosPDF.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                        1nzNNooNMS.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                          Le55bnMCON.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                            z8yxMFhhZI.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                              kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                    e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse

                                                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                                                      C:\Config.Msi\5b113c.rbs

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):8879
                                                                                                                                                                                                                                                                      Entropy (8bit):5.662553399917579
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:kjcxz1ccbTOOeMeGn61c7r6IHfc7r6kAVv70HVotBVeZEmzmYpLAV770tpY9mr:kQD27YpYtiB2io
                                                                                                                                                                                                                                                                      MD5:27F188ECD757C5BFB1416AFC95F50F96
                                                                                                                                                                                                                                                                      SHA1:EBC7F92EFEE898A93EBF2C5C053EA24FDCE6B406
                                                                                                                                                                                                                                                                      SHA-256:92171F899893EBA8228A901514E3850ECC64CB624EAB04299C900B4711B22232
                                                                                                                                                                                                                                                                      SHA-512:6A96AD1F524FE96AAC83AA9B49B86130D6600BDBD75C31D7D0B32CE2401A1B02EEC4E173B2783D1DA63EACE6B37F8A3AE1921B556E917281C24B7324905B95A6
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5b113c.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@.)xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent1.ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):753
                                                                                                                                                                                                                                                                      Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                                                      MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                                                      SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                                                      SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                                                      SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):7466
                                                                                                                                                                                                                                                                      Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                                                      MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                                                      SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                                                      SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                                                      SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):145968
                                                                                                                                                                                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                                                      • Filename: setup (1).msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: BOMB-762.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: LaudoBombeirosPDF.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: 1nzNNooNMS.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: Le55bnMCON.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: z8yxMFhhZI.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: kTbv9ZA2x0.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: IwmwOaVHnd.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: gaYiWz75kv.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: e8gTT6OTKZ.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1442
                                                                                                                                                                                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):3318832
                                                                                                                                                                                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):215088
                                                                                                                                                                                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):384542
                                                                                                                                                                                                                                                                      Entropy (8bit):7.999374626035649
                                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                                      SSDEEP:6144:viqRTU5exRWDCtTLvL0XRFJE9A+BQlv9I+NBsNQvaNXvhGf1mzVeUXJLo:vil/DSLvAJ6CxBHmJXVpJLo
                                                                                                                                                                                                                                                                      MD5:4A09A87D2004DAC4B00687E9C9F15036
                                                                                                                                                                                                                                                                      SHA1:C78BB288E7A96642093ABE44CB9B7BBD3EC447BA
                                                                                                                                                                                                                                                                      SHA-256:2DBC8CF2592604C09793CBED61E0B072B1B1FFA375FB3C9ABCA83FA0E18AB9A5
                                                                                                                                                                                                                                                                      SHA-512:F555F5A0BB80514BC71BB33A77620D28A9E6715E538372AAA7F0500BC8D5BFE8511F5CA982E15304422479FF693E6F38510D6616A94580FC1B105DD2DA605EAA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:PK..-......9lY...}........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(...................,...1.9>ks'6.s+a.....q!b.N......C...... $..:-u.&.......@~...!s.....}...;.._.0.A.... S.....P...(/.Lc..v.!......CH....(..j..T..4m.ty...........;.uj.Dv2..m...`v._....?. ..W.....O.|.EgdF..vL.^../..?!e../eRs..{.[.m........q$0..o..%..2..._....IW`m>".~6.y....w....G.z.v..~.t.#.mg.l7..6#..W..........V..#..........l|.K..=.&q=3y.g..KL.x`.D.L.,..l..Qw...^lSr#\.=...`'&..A.>.ME`..!....g.z....A../........6.||..-.....,...I.3.n.P..%..}oZ.~.'..q]JY)...G]Z=.^..2..[c.t.O5DI.O.H..{>....+n.'...!..#z..(F.Ue."...#.........z....L..tLv.3.8?..t\-..h.e.S.^W.....W..z.....Y|....P.....&.6.\5cs..X....F.......~a...Z@5.@....}....o...8B.?...r.....kS....`iT.q-)8.~.YU....w.kh.]......V..OZEI..@...>.9.......B76.O...b.7.u..kh.L.$....Q...F2^.J.L.C<"m.c..X..-...XQ...P=2.e/.fA...8..a...z...w8W.^w-..[!....QI}:2.?..K....34....}"...........\.%.X.j@G..4...f....<..v@.`.w

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):177704
                                                                                                                                                                                                                                                                      Entropy (8bit):5.814572246989157
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:2DpvOyLSson7aezB53Pbsk4GJCMA1TSuAehuZ7f2lz8/Cvolc3a:2D4y07asBx4krGSegZX3
                                                                                                                                                                                                                                                                      MD5:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                      SHA1:2E537E504704670B52CE775943F14BFBAF175C1B
                                                                                                                                                                                                                                                                      SHA-256:847D0CD49CCE4975BAFDEB67295ED7D2A3B059661560CA5E222544E9DFC5E760
                                                                                                                                                                                                                                                                      SHA-512:47228CBDBA54CD4E747DBA152FEB76A42BFC6CD781054998A249B62DD0426C5E26854CE87B6373F213B4E538A62C08A89A488E719E2E763B7B968E77FBF4FC02
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2g.........."...0................. ........@.. ..............................y.....`.....................................O.......................((..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):546
                                                                                                                                                                                                                                                                      Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                      MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                                                      SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                                                      SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                                                      SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:WhWbn:WCn
                                                                                                                                                                                                                                                                      MD5:EB053699FC80499A7185F6D5F7D55BFE
                                                                                                                                                                                                                                                                      SHA1:9700472D22B1995C320507917FA35088AE4E5F05
                                                                                                                                                                                                                                                                      SHA-256:BCE3DFDCA8F0B57846E914D497F4BB262E3275F05EA761D0B4F4B778974E6967
                                                                                                                                                                                                                                                                      SHA-512:D66FA39C69D9C6448518CB9F98CBDAD4CE5E93CEEF8D20CE0DEEF91FB3E512B5D5A9458F7B8A53D4B68D693107872C5445E99F87C948878F712F8A79BC761DBF
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:version=38.0

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):96808
                                                                                                                                                                                                                                                                      Entropy (8bit):6.1799972918389185
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:UJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762A:UQUm2H5KTfOLgxFJjE50vksVUfPvO1W
                                                                                                                                                                                                                                                                      MD5:E2A9291940753244C88CB68D28612996
                                                                                                                                                                                                                                                                      SHA1:BAD8529A85C32E5C26C907CFB2FB0DA8461407AE
                                                                                                                                                                                                                                                                      SHA-256:6565E67D5DB582B3DE0B266EB59A8ACEC7CDF9943C020CB6879833D8BD784378
                                                                                                                                                                                                                                                                      SHA-512:F07669A3939E3E6B5A4D90C3A5B09CA2448E8E43AF23C08F7A8621817A49F7B0F5956D0539333A6DF334CC3E517255242E572EAEF02A7BBF4BC141A438BF9EB9
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Y.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):704552
                                                                                                                                                                                                                                                                      Entropy (8bit):5.953959038895453
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:/9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3i:/8m657w6ZBLmkitKqBCjC0PDgM5y
                                                                                                                                                                                                                                                                      MD5:3EF8D12AA1D48DEC3AC19A0CEABD4FD8
                                                                                                                                                                                                                                                                      SHA1:C81B7229A9BD55185A0EDCCB7E6DF3B8E25791CF
                                                                                                                                                                                                                                                                      SHA-256:18C1DDBDBF47370CC85FA2CF7BA043711AB3EADBD8DA367638686DFD6B735C85
                                                                                                                                                                                                                                                                      SHA-512:0FF2E8DBFEF7164B22F9AE9865E83154096971C3F0B236D988AB947E803C1ED03D86529AB80D2BE9FF33AF305D34C9B30082F8C26E575F0979CA9287B415F9F9
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................C....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):602672
                                                                                                                                                                                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):73264
                                                                                                                                                                                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):213
                                                                                                                                                                                                                                                                      Entropy (8bit):5.183198255515514
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:A09MIEmTFKFKui9wqWluiKFHnFSLRg42VVmvKZqSkecEKXTWJFUMVIWcRYF2D2y:ANIEYs89w3pKFSQHwSkeWDWKWyFDX
                                                                                                                                                                                                                                                                      MD5:0987BAE35924B69A83A2F24C69C7D8AB
                                                                                                                                                                                                                                                                      SHA1:7FF33D31C74FF0F14B04FD1E2853EC24D219B094
                                                                                                                                                                                                                                                                      SHA-256:ACB27A9F548330544B2520E540F16DE92926F86D1CE0BD907D3CA8086E9EFA7B
                                                                                                                                                                                                                                                                      SHA-512:A0CAD7246908946E73E3DAC88CB9CA535B6B6D7A0EEC680B0A6703C46E8CEA3AF1110C51511FCF27B4545FBFEB34268395F4B8BB8721B5491BE7AAA3D0D366DA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:/i /IntegratorLogin=lauraclima92@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000MAUEiIAP /AgentId=ca4f6eb7-da88-4119-8d72-16266eeb5dd4.24/11/2024 05:15:31 Trace Starting..

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2402
                                                                                                                                                                                                                                                                      Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                                                      MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                                                      SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                                                      SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                                                      SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):651
                                                                                                                                                                                                                                                                      Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                                                      MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                                                      SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                                                      SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                                                      SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                                                      C:\Windows\Installer\5b113b.msi

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                                                      Entropy (8bit):7.878659974620303
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:t+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:t+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                      MD5:D845DB29C963E1314BDAD5AE0E8363B4
                                                                                                                                                                                                                                                                      SHA1:29192740A48FD5E65E79CF8E32D129D9C0B84DF1
                                                                                                                                                                                                                                                                      SHA-256:CBD238F60CC3C1A95155AE46D88EEDA33C8DFA1EE5093E22AA1DCF80D5965987
                                                                                                                                                                                                                                                                      SHA-512:5973B633A39DFEE65A866067622BE4A8712DE99419524B8F7271B80396C0F9BCEB7ADDA848AEE171DF7E96B0A54E193B06253C6538746723F9441D88EE088AFC
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\5b113d.msi

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                                                      Entropy (8bit):7.878659974620303
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:t+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:t+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                      MD5:D845DB29C963E1314BDAD5AE0E8363B4
                                                                                                                                                                                                                                                                      SHA1:29192740A48FD5E65E79CF8E32D129D9C0B84DF1
                                                                                                                                                                                                                                                                      SHA-256:CBD238F60CC3C1A95155AE46D88EEDA33C8DFA1EE5093E22AA1DCF80D5965987
                                                                                                                                                                                                                                                                      SHA-512:5973B633A39DFEE65A866067622BE4A8712DE99419524B8F7271B80396C0F9BCEB7ADDA848AEE171DF7E96B0A54E193B06253C6538746723F9441D88EE088AFC
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1264.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1264.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1264.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1766.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1766.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1766.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI2D41.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI2D41.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI2FB3.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):437346
                                                                                                                                                                                                                                                                      Entropy (8bit):6.648160865611128
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:Tt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsI:BzOE2Z34KGzOE2Z34Kv
                                                                                                                                                                                                                                                                      MD5:99095428C30E55A0BEB210A8416CF9F5
                                                                                                                                                                                                                                                                      SHA1:55DD138A7B9665A13E15774BA26DFCF4C55201C5
                                                                                                                                                                                                                                                                      SHA-256:01A26C1B9E9F43D54BCF4E92D2322370EFD190DDB3D1B5976B2E357B769BF780
                                                                                                                                                                                                                                                                      SHA-512:F3CAF47CDF93CC750508CB107D009E3EF333E2471E4655905EC953DBEA117952CB7F620DC97C9C4D810BD1AECFBB51639DCE2E92F138C04758A98DDE662638C5
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2FB3.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@.)xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent1.ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<....................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI2FC4.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI3022.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI30EE.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI489E.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI489E.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI489E.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                                      Entropy (8bit):1.1915273715187449
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:JSbX72Fjt/EXAlfLIlHmRpkh+7777777777777777777777777ZDHFQ2iSvso3yl:JT6UIYNFh2F+F
                                                                                                                                                                                                                                                                      MD5:DADD66FF488370C187899FCBC770E691
                                                                                                                                                                                                                                                                      SHA1:0D07B2694598311395B145D11563A46447A6ED8C
                                                                                                                                                                                                                                                                      SHA-256:958E138DC0888462B9567F0C4D57B6B9C1FBA3BB10424463D9C866F017F871A9
                                                                                                                                                                                                                                                                      SHA-512:29C857E6AAED4BF9D83B6EDFAA674D268B7AD2227E63C29042C1B615D0339694FD0489ED4D750D88B60BC932C0BD274966B076B2ADF98077723A9F509453D3E3
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                                      Entropy (8bit):1.5775714827771812
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:5J8PhcuRc06WX4wFT5/mobVFBqISoedGPdGfgerl2cStedGPdGRubNAn:mhc1AFTpZVOIXcRoW
                                                                                                                                                                                                                                                                      MD5:BDB05A4C5679759B2C65669BC203D78F
                                                                                                                                                                                                                                                                      SHA1:D43C746CE31D057B127857834D7473F432D16939
                                                                                                                                                                                                                                                                      SHA-256:1745399D4561A358E15BD6C70F8BF9203F1BEC6695E9E4C8F74B6143E1969D12
                                                                                                                                                                                                                                                                      SHA-512:493F19941C5E8F1A3106210EEA7940BA7C786B8DECD523ED347ECE982001CA5DBF15D92CD1EFB8E45892A007E2B972A9D60A4F451411FD1489EB0104B60B80C8
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):360001
                                                                                                                                                                                                                                                                      Entropy (8bit):5.3629632962160265
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauN:zTtbmkExhMJCIpEk
                                                                                                                                                                                                                                                                      MD5:523B762E87081EC689CA5D126446F4ED
                                                                                                                                                                                                                                                                      SHA1:20653C828DDBBD6AF852952FBA20377B4ACBD9DC
                                                                                                                                                                                                                                                                      SHA-256:38E672303727B6803EA1CFA2EDEF8826B6043B4CE6D9C4DB37159B0282A5EBB8
                                                                                                                                                                                                                                                                      SHA-512:3141164A6071AAD560CA503489A00703EF888FC1849E481E970446FC2BCE863E65C6501500F32196AC3FD75D631CC1B6AE80554C41CD1A0E0ACE1402EDBEFBCD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                                                      C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):704
                                                                                                                                                                                                                                                                      Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                                                      MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                                                      SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                                                      SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                                                      SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):471
                                                                                                                                                                                                                                                                      Entropy (8bit):7.187019651177751
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:JyYOzg5GLsHzqTykJ0Ysbwsn5SWPYkq3n:JRO0ILsyJ0Y+Z5lYn
                                                                                                                                                                                                                                                                      MD5:441A4996E2EE86C4B588D8C0D407E7C2
                                                                                                                                                                                                                                                                      SHA1:0987D79EAECF4AFAD0E5C6F7BD9BD0A90CEABBD4
                                                                                                                                                                                                                                                                      SHA-256:300CFA12D5560F2B04E870FE42E15B6A2007E8F53E4CE1329BD506382075E657
                                                                                                                                                                                                                                                                      SHA-512:8D6D5BD1EA7BAAFEB8CA750CE112ED7FAD1477E1DEEF34994A145893EED217D1A9990A52D76790F8C00484378778504626E5C6A5F5193B8DA661AFDBD62600B0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241123190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241123190516Z....20241130190516Z0...*.H............._......Ym...[....K..r.....D.|.7...6/.Dd...bx*8..:.#B.....-W..3K.bW...._...........E......82oTc.",...d3C...X...U.....}.&9?...+.}{~..L|........9=..\R..{*.J/..I;:.P.H.....3..*..x....>.?.Vu{r....Jx`.i..\"{.8Kz.....z.....wD.4...O.....\"y

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):71954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):727
                                                                                                                                                                                                                                                                      Entropy (8bit):7.537072345098989
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:5o6Tq9R5h44TUqrqILBKSB/P8KcFHiGIkZEaOR6qtcO4CoTBF/ZW9FD1QvuTw/n/:54oqXVKSBH8KqiGZtfqiOboTBF4l1ve/
                                                                                                                                                                                                                                                                      MD5:49BA85BE2CB152368FE6EE8982CF3D76
                                                                                                                                                                                                                                                                      SHA1:F078FDB44C9C62D64DC79849C7E41DEC4441A9C0
                                                                                                                                                                                                                                                                      SHA-256:28B91A2A15DFCE2BB789D5CF10E55DC8D46418AF6E8574CBA83CCAD4D396BE68
                                                                                                                                                                                                                                                                      SHA-512:67F5293A94BF17ED5031EEC51EE06BBC467860CDC48A2712694418185C0D400386BCD3D3C4FB46E7B5E50EEE1A6A4747707A3058D0C982B4CB16E8374816E787
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241123213707Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241123212102Z....20241130202102Z0...*.H.............hW.~...z~.4u...VR)..../.9 .....Z...{.-....9F.4.>.....&.......5IyX._y..7.a...?...=....8......o..I6...7.G.1..h*.*`.. ......(q.t...#VT.>..}.lzI2k...j.E.}s....V......F..s..O.X(x......g..9u7@!......eQ......\;..'..J5...z...JA~8....X..-.X..c..U..@K..6L...P.G.........q..z.1........i]...I..e.%...3P..m....x.....H.......Q..... Cz*.sPT.6.5.DY....o?..Z..6..>...c.-.+g.VQ...kq...N...T..X...N.p..YQ".3>_......q.Y=.[.*.Xg..4=...DvN.^.[...{..dU{P%..k. ...Ek....c[.OM.].|..o.@...1..P..4..\..*.._J.z0Y

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):737
                                                                                                                                                                                                                                                                      Entropy (8bit):7.5557187233228245
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:yeRLaWQMnFQlRAUcncFfBJurIT/L3wH/c9q5kvs0LQ+TDOFbx2UJhE47J:y2GWnSxuctGeqiW+Lp6L2ehE47J
                                                                                                                                                                                                                                                                      MD5:3DE65469B9F550FA32724673E299DFE2
                                                                                                                                                                                                                                                                      SHA1:4AAA64A5E233B459C3D4A5BCDD6EB115990C880D
                                                                                                                                                                                                                                                                      SHA-256:36BD170660F76039F65092E3CFB6F5AE7E6CE34E8E7321FABA7059E8407E3EB8
                                                                                                                                                                                                                                                                      SHA-512:642459FD1971BD4EBBC4C7128515F15D1F8AF15FE9AA5E992BDA18BB25B5913F3C36FCB1D9CA9D184C58F92295639976E3ECED7FEE5DEBB672C8F230EB31CD6E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..241119210859Z..241210210859Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............Io}x.N~...b...".F>.b9..9...(...lH.!.Pr.X..._..<.C...t....(.q....D..?...k..*.rN...{...c..=./O.G......{....a.i=}.|Cy...~......6.N.p.....)...1.;QE.\x)U.|.:.6.....(-T.....7.9.l.b..X....v..W.`..u.%T.VOHF.0.A...P...iv.Z...n0*k..w.mA.9e.'.w.....b......P.....2..X...ph.7Z..........s.'.. f...9F"....J...6../a..a..nl.IW.V..%z.....B...3.2.:hw...2b.Q._.i..N....=....F.f.%P.j.c}.sY;.+y.E.....V..7..CEj.....r.G.B.T..p....e.wa..8R..X..!..2*L.g.gx.f?e...J..FB.*.....S{..x....y.QF/.0K'....+..N....G..=.'..g....

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1716
                                                                                                                                                                                                                                                                      Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                                      MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                                      SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                                      SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                                      SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):727
                                                                                                                                                                                                                                                                      Entropy (8bit):7.534031201200033
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:5onfZUxc5RlRtBfQOx/hsLzjyNiA6M4SjmFjt5Y1DohqGoz7UcN/YNjoRLUE2lH2:5iCxcdZbxJqjFJ5mDohqocRYN7latn
                                                                                                                                                                                                                                                                      MD5:3AA154C597F0D3EF221B82298CE04F78
                                                                                                                                                                                                                                                                      SHA1:C15D53176E903BFAB12665B3E42D1B9ECCFB54D0
                                                                                                                                                                                                                                                                      SHA-256:B75A76C1C71E981D5299E2A8F85D317D14DA91FD79A615C70EF14876EBC9557D
                                                                                                                                                                                                                                                                      SHA-512:B9B93ED7F99E8B96EFB85A4DC9A8CEE9F7057B87DA9C2A1FE82FE8CD308F89C42E76E9170BB429999E1D985AF7847463B8C60173C44413685472E0B5E2306324
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241123184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241123184215Z....20241130184215Z0...*.H................m.iQ...1..L....W..,dJ?..0|.R}......t@.U..6.....q.*...XbF.._+_Q...X.fx.m...J..e.4.Lh.._D!.$.......(T.P._.d...A....&R.?H..#)buHT...a..a.+.D..z...cH...;..\.m....D..R5..k.+ci!=dR.\..z.4q...i.Rj.M...A..=./..J*%?m"..+\....q.D.J.",3.....0p)+.OF.r]..'....}...cN..^8s....v.|O........:.<TK.f.I.....B...=.}sU.Y....E.h...&.....S......C...l..9...&h..H....$]....w....n2n....a5.{..a......|..!v...C..3......s.2.,.......B..{!]...7..}.M[3X*..&.y.................@{.f.Y7*)w..6.dh.b]@...!.c.5...r..7m..

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1428
                                                                                                                                                                                                                                                                      Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                                      MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                                      SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                                      SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                                      SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):338
                                                                                                                                                                                                                                                                      Entropy (8bit):3.43868608298626
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKezPK8EB9wQJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:mzyHwbkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                                      MD5:845B58063B948F831F7B89D4CEDAECC7
                                                                                                                                                                                                                                                                      SHA1:76B8793AE9F63D827ABEB63981D4AA8E05CED897
                                                                                                                                                                                                                                                                      SHA-256:CB1685222C1B7D7750683AE95BE0A16BFB2B9D447E5848DB99C3B8D7A2C19233
                                                                                                                                                                                                                                                                      SHA-512:5FA1D1BB9A0A0428BDB4EC20AF66D34B0DFA6C95B3D7CFDA81EC38477F6190C03A2AE50CF2D0F3374E3080F3E80F40E74BAD676735CFAC397472D0C9033B8810
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ..........lC....(................................................e...>.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):400
                                                                                                                                                                                                                                                                      Entropy (8bit):3.9416071175693226
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKPClvWhqXlF3smXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:6Xn31mxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                                                      MD5:8467C78B48D583BF73E8F602F984EB4A
                                                                                                                                                                                                                                                                      SHA1:9A6588EAAA0790865B8BF869C86DDA143F47DCBF
                                                                                                                                                                                                                                                                      SHA-256:988243A4A1AE914C05DCC9D278539DEB79B7B3A813ABDEDA258C9915B8445142
                                                                                                                                                                                                                                                                      SHA-512:36B877A5B1B5D6ACC77E93302563A56A49DD56E856C8D925BA0F06614C9B4B2CB4CF497E66E264DD991666C1F3246DF50154E33DF3F8BD77902DD74CCD395A36
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ........O.h.Y>..(................~...=....o.ZC....................o.ZC.. ........E.NW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):290
                                                                                                                                                                                                                                                                      Entropy (8bit):2.977525407934455
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKsL9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:lD9LNkPlE99SNxAhUe/
                                                                                                                                                                                                                                                                      MD5:B014BD4300E9956F2D0E98D3DE784E05
                                                                                                                                                                                                                                                                      SHA1:24B49BBAE2E7F34C753B1922125B279C652257DF
                                                                                                                                                                                                                                                                      SHA-256:FE1639D70614B3C865F62A9C4AA5FE6F95A8923AC59F3A7E68742C9AA0E6EE3E
                                                                                                                                                                                                                                                                      SHA-512:B5B7A1D51966BC4D6D5E194C116EECE66CC7EF56E066903829DC08A8BCA7A7E919358DF090B0E4A856D156ED5F360739FC931E14200494BB7B159F0610ABE875
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... .........y._>..(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):404
                                                                                                                                                                                                                                                                      Entropy (8bit):3.5576350710221694
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kK3qRlW4YfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSikKYlF:KCmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                                                      MD5:DAE37B16CCFBB7BF6AF1C239E7997CEE
                                                                                                                                                                                                                                                                      SHA1:B672BAB9D4F7DE550BA2F590D126A8E370453624
                                                                                                                                                                                                                                                                      SHA-256:2C3C2346FD2A7AC07BC871BFDE56232CB673E6FAB47C546BF4FCFF15AAFBA34E
                                                                                                                                                                                                                                                                      SHA-512:0E2DAAF3DF04312E15F48464B35B1BE6E7BD3E0218C6BE13EA571BA945F8404C86CAF318B8B86D142066CCA6796528EF4DBD4187E63D00F7B5958450A859C759
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... .... ...{VL.....(....................................................... ...........O>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):248
                                                                                                                                                                                                                                                                      Entropy (8bit):3.0245471027899287
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:kkFklQGLfllXlE/xZ/JtINRR8WXdA31y+NW0y1YbXKw+l1M7GlWB5lL1AWlll:kK9hZ/8FAUSW0PTKDXM6lWTJ
                                                                                                                                                                                                                                                                      MD5:2CBDE5729919873FEDEFCFA82E84F776
                                                                                                                                                                                                                                                                      SHA1:87D9AEC31EE9CB761D4D23DF0E963A78D873A018
                                                                                                                                                                                                                                                                      SHA-256:FDE31D0D88FB3C5B372D245CFD5555D164EABD990462669AB2A387F02C053F13
                                                                                                                                                                                                                                                                      SHA-512:3B600E6F0C4130AFE8169A7988775F10FB41190F3E0B634760BE41011678BB679AFE8D78F83BC9CD9051DDBB2C17BEB3D1420276E48A527E2E91D3424492BC61
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ....f....=......(....................................................... ........T.~.:.. ...................h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.l...".6.7.3.d.0.d.e.d.-.2.e.1."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):308
                                                                                                                                                                                                                                                                      Entropy (8bit):3.2131444407465524
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKf/fzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:StWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                                      MD5:992171B39802DFE0E9FCB45CC73B91DC
                                                                                                                                                                                                                                                                      SHA1:5A651D4F271DA93F499BCC2F4B86481981CD5795
                                                                                                                                                                                                                                                                      SHA-256:CA088096E21D56B431C7FA7C927F900EB4415CA84A138D583D9EB1A4C52B3984
                                                                                                                                                                                                                                                                      SHA-512:C27609EF9FCD7FC3584AB2BA62EED0AA9118401525FEAFFD8DB6C9A94A6E067D78DE8006AEAC0CE485DC57CE396211C680375FC37F2C1F3FBDCBF6913116DC63
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... .........".k^>..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):412
                                                                                                                                                                                                                                                                      Entropy (8bit):3.52612391143208
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKNAfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:umxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                      MD5:10126C1541948A458CDA588D76AE5535
                                                                                                                                                                                                                                                                      SHA1:EB019AA46A63C328D70EC70EBBE1245CEA865B4E
                                                                                                                                                                                                                                                                      SHA-256:1E46CAAA42BCFDF155FEAC639AE37D3A6E8B4DC93B3F2B9B7E60027ABC40AFEC
                                                                                                                                                                                                                                                                      SHA-512:F43E1B61EDDD6A3209919E0B776F1803AFC00C9F2AEDD9C6635B3EA4174C303AA80073D5D9873959073E58AEFA784DB0148EAFA6181232ABC08A8173A9A94F26
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ....(...v.r.@...(....................................................... .........KFW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):254
                                                                                                                                                                                                                                                                      Entropy (8bit):3.060772882719261
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKVhLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:LLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                                      MD5:62B24C74BFFF687BE34E0E2D81E2FF4A
                                                                                                                                                                                                                                                                      SHA1:4BBF98C9DB33AE03B9108E1E0ECB65130695CB3A
                                                                                                                                                                                                                                                                      SHA-256:9B503B9D1BF7807C81E876038045CAF52734420CFB2EA9D60C158BB04C0D3A5F
                                                                                                                                                                                                                                                                      SHA-512:EB3037404BC79603F711A8E290D105961C5E4570C0A6EA28D091ADD2E9CE03D72BF4619FC8FA1FF93B90BE2B8E16B67618747447DA4335F01A9650B5115EEF7D
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ....l.....X.^>..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1944
                                                                                                                                                                                                                                                                      Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                                                      MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                                                      SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                                                      SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                                                      SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                                                      C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):357
                                                                                                                                                                                                                                                                      Entropy (8bit):2.914952004241742
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:RKRKgIj2DDxXoejmKXVM8cv2RcLKdV9zbPUGfyAj9xMOOFOwOyW7AQLMNWc2vsKV:e8G4eBXVclq/UIJc3FNOOTNWdson
                                                                                                                                                                                                                                                                      MD5:52DF6A809F7BA7A7ABF1252F292B4E25
                                                                                                                                                                                                                                                                      SHA1:3703531F953FE8B6FE72931BECFCFEC5C146669A
                                                                                                                                                                                                                                                                      SHA-256:3C5BA44D2CB8993015BCA60B919DE1427E1170BAEF4C531DB12486A92DA536B8
                                                                                                                                                                                                                                                                      SHA-512:1E848B681930F3B1397175F9AB4C1B1B8B7F53D646A91DFD10B7DCF31DD2CBC790C5F6A7D61E01BFC80ADCF519E15D61334559CB67799F03B4797CFAFBCC1D8E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////....

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF01E4E76D878D1653.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF0426518AB89A8377.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF2CA74992EDE38C80.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF31BE93D7FB3585D0.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                                      Entropy (8bit):1.5775714827771812
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:5J8PhcuRc06WX4wFT5/mobVFBqISoedGPdGfgerl2cStedGPdGRubNAn:mhc1AFTpZVOIXcRoW
                                                                                                                                                                                                                                                                      MD5:BDB05A4C5679759B2C65669BC203D78F
                                                                                                                                                                                                                                                                      SHA1:D43C746CE31D057B127857834D7473F432D16939
                                                                                                                                                                                                                                                                      SHA-256:1745399D4561A358E15BD6C70F8BF9203F1BEC6695E9E4C8F74B6143E1969D12
                                                                                                                                                                                                                                                                      SHA-512:493F19941C5E8F1A3106210EEA7940BA7C786B8DECD523ED347ECE982001CA5DBF15D92CD1EFB8E45892A007E2B972A9D60A4F451411FD1489EB0104B60B80C8
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF31BE93D7FB3585D0.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF552422D476BA62BF.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):1.261752766931243
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:KDRUu6O+xFX41T5XmobVFBqISoedGPdGfgerl2cStedGPdGRubNAn:wUHWTBZVOIXcRoW
                                                                                                                                                                                                                                                                      MD5:2E18A37B338AB60632C178ADDEFD233B
                                                                                                                                                                                                                                                                      SHA1:2C43FF8CC2AADF893F0E577FF3795FA37DEB9D41
                                                                                                                                                                                                                                                                      SHA-256:E3E8B464231850AF0CE7D4DD6AD1FEB2E4B4BE94ACBC09778E723AE05B3E2E1E
                                                                                                                                                                                                                                                                      SHA-512:C2940E07FD03EBE8B364DA779AD0F370DBE4ABEB77F860E220ED966BE9D4F290FC5045964899E1ED4922D28852ACA94C00156E70FB36133365BBDAA7B69DF586
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF552422D476BA62BF.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF5892DD4D99EE3C15.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                                                      Entropy (8bit):0.14760965582819857
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:Cnm1ubmStedGPdGeqISoedGPdGfgerl2uSJmob:ijyLIXcEJZ
                                                                                                                                                                                                                                                                      MD5:DF43D973EE27C4BA3A73C40C7ACC1CEB
                                                                                                                                                                                                                                                                      SHA1:441F974E2E2C0C9B7DD01A114C650C4F0F93D10D
                                                                                                                                                                                                                                                                      SHA-256:2DB16BE50C0EE66FB57A4AF16B054360D2C420EE5619CBBFBF7C446DB6CDA7C3
                                                                                                                                                                                                                                                                      SHA-512:93C7037879E02E95A7D446DC01EAB35C51EFAC1D556F9BC5AF3A6B59AF287BE780F9A0D46843B0DB1891FB30C3F79AB661B7B29ACFFC0DE8A5E77B75BC1236FF
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5892DD4D99EE3C15.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF5FF21C21BB2C0656.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):0.08592365969022339
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOe3tEiSocR9ao3ydSVky6lf:2F0i8n0itFzDHFQ2iSvso3y7f
                                                                                                                                                                                                                                                                      MD5:075F40C695BB03114C4DF833283B71E8
                                                                                                                                                                                                                                                                      SHA1:DCFB524374A52FE6C1B2E8BB1DCB6F8F79A52738
                                                                                                                                                                                                                                                                      SHA-256:4456B86CB23AC32DE578895331FFFFA18585E8E89B979AE9FC571B5543EF5909
                                                                                                                                                                                                                                                                      SHA-512:4B92F0D3B8584B2A9491A4DC43600802B52F8045D226863903571752CC639A642700CD9FA65B11DEA600094EB43FF4E861FB690B0F634B0DF11AD22149B49F70
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF906A73D282F9BD42.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):1.261752766931243
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:KDRUu6O+xFX41T5XmobVFBqISoedGPdGfgerl2cStedGPdGRubNAn:wUHWTBZVOIXcRoW
                                                                                                                                                                                                                                                                      MD5:2E18A37B338AB60632C178ADDEFD233B
                                                                                                                                                                                                                                                                      SHA1:2C43FF8CC2AADF893F0E577FF3795FA37DEB9D41
                                                                                                                                                                                                                                                                      SHA-256:E3E8B464231850AF0CE7D4DD6AD1FEB2E4B4BE94ACBC09778E723AE05B3E2E1E
                                                                                                                                                                                                                                                                      SHA-512:C2940E07FD03EBE8B364DA779AD0F370DBE4ABEB77F860E220ED966BE9D4F290FC5045964899E1ED4922D28852ACA94C00156E70FB36133365BBDAA7B69DF586
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF906A73D282F9BD42.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFA010BDBBBF13E899.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFBEDEA443DEFE141C.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                                      Entropy (8bit):1.5775714827771812
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:5J8PhcuRc06WX4wFT5/mobVFBqISoedGPdGfgerl2cStedGPdGRubNAn:mhc1AFTpZVOIXcRoW
                                                                                                                                                                                                                                                                      MD5:BDB05A4C5679759B2C65669BC203D78F
                                                                                                                                                                                                                                                                      SHA1:D43C746CE31D057B127857834D7473F432D16939
                                                                                                                                                                                                                                                                      SHA-256:1745399D4561A358E15BD6C70F8BF9203F1BEC6695E9E4C8F74B6143E1969D12
                                                                                                                                                                                                                                                                      SHA-512:493F19941C5E8F1A3106210EEA7940BA7C786B8DECD523ED347ECE982001CA5DBF15D92CD1EFB8E45892A007E2B972A9D60A4F451411FD1489EB0104B60B80C8
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFBEDEA443DEFE141C.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFD7B20DF7F70954E9.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):1.261752766931243
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:KDRUu6O+xFX41T5XmobVFBqISoedGPdGfgerl2cStedGPdGRubNAn:wUHWTBZVOIXcRoW
                                                                                                                                                                                                                                                                      MD5:2E18A37B338AB60632C178ADDEFD233B
                                                                                                                                                                                                                                                                      SHA1:2C43FF8CC2AADF893F0E577FF3795FA37DEB9D41
                                                                                                                                                                                                                                                                      SHA-256:E3E8B464231850AF0CE7D4DD6AD1FEB2E4B4BE94ACBC09778E723AE05B3E2E1E
                                                                                                                                                                                                                                                                      SHA-512:C2940E07FD03EBE8B364DA779AD0F370DBE4ABEB77F860E220ED966BE9D4F290FC5045964899E1ED4922D28852ACA94C00156E70FB36133365BBDAA7B69DF586
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD7B20DF7F70954E9.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFECD76EAE3C39B413.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      \Device\ConDrv

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):454
                                                                                                                                                                                                                                                                      Entropy (8bit):5.334995157189048
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:Y0rsShlOS0+3dYkmvO2xOiw13rTP8AUZMWJSmzetP:Y0rBBtdW/w1XPSZMWJ5UP
                                                                                                                                                                                                                                                                      MD5:125532809010DB59F8C8046E28E658F5
                                                                                                                                                                                                                                                                      SHA1:2F5532B934100174ACB278C2D04B9DC4D455B292
                                                                                                                                                                                                                                                                      SHA-256:467AF3BDDE143D79365C5E8817FDB066FF40C6F5AFC960A2EA8A6D903631C1C8
                                                                                                                                                                                                                                                                      SHA-512:FF3ABAA744B752F485DE9B7605A3758BCAB5F6FF9347A27EBAC4A1EDACACC93C47A9594460C93F34BE9FE198C3AABBC5AB24D951E37578B1C6DE9C5D4C2122A6
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:{"PackageName":"AgentPackageAgentInformation","ExecutableCommandArgs":["minimalIdentification"],"Data":{"AccountId":"001Q300000MAUEiIAP","UserLogin":"lauraclima92@gmail.com","MachineName":"061544","CustomerId":"1","FolderId":"","IsMinimalIdentification":true,"UniqueMachineIdentifier":"kP4dQwg8Rzymh8A+AbZLkP/rjrdvrwiV8BXnNhtr4N8=","OsType":"Windows"},"CommandId":"47be830f-d7d7-401a-87fc-8b93e37bf80a","AgentId":"ca4f6eb7-da88-4119-8d72-16266eeb5dd4"}..

                                                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                      Entropy (8bit):7.878659974620303
                                                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                                                      • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                                                      • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                                                      File name:ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
                                                                                                                                                                                                                                                                      File size:2'994'176 bytes
                                                                                                                                                                                                                                                                      MD5:d845db29c963e1314bdad5ae0e8363b4
                                                                                                                                                                                                                                                                      SHA1:29192740a48fd5e65e79cf8e32d129d9c0b84df1
                                                                                                                                                                                                                                                                      SHA256:cbd238f60cc3c1a95155ae46d88eeda33c8dfa1ee5093e22aa1dcf80d5965987
                                                                                                                                                                                                                                                                      SHA512:5973b633a39dfee65a866067622be4a8712de99419524b8f7271b80396c0f9bceb7adda848aee171df7e96b0a54e193b06253c6538746723f9441d88ee088afc
                                                                                                                                                                                                                                                                      SSDEEP:49152:t+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:t+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                      TLSH:EDD523117584483AE3BB0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                      2024-11-24T11:15:46.062964+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.94978913.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:16:30.938796+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.94989413.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:16:41.911699+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.94992313.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:16:48.684372+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.94994313.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:16:54.331468+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.94996313.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:16:57.658744+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.94997213.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:05.660354+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.95000413.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:11.298785+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.95002213.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:17.721985+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.95006113.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:23.708140+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.95007313.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:31.115013+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.95008313.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:34.564302+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.95009013.232.67.198443TCP

                                                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.545051098 CET49768443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.545142889 CET4434976813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.545362949 CET49768443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.570578098 CET49768443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.570627928 CET4434976813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.630984068 CET49769443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.631030083 CET4434976913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.631110907 CET49769443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.638835907 CET49769443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.638853073 CET4434976913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.013876915 CET4434976813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.013986111 CET49768443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.033243895 CET4434976913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.033333063 CET49769443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.145075083 CET49769443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.145093918 CET4434976913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.145484924 CET4434976913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.147217035 CET49769443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.187340021 CET4434976913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.295682907 CET49768443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.295720100 CET4434976813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.296091080 CET4434976813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.297156096 CET49768443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.339334011 CET4434976813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.683279037 CET4434976913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.683381081 CET4434976913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.683468103 CET49769443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.688755989 CET49769443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.825050116 CET49776443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.825100899 CET4434977613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.825213909 CET49776443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.825545073 CET49776443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.825558901 CET4434977613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.844110012 CET4434976813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.844176054 CET4434976813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.844527006 CET49768443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:39.848040104 CET49768443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.459501982 CET4434977613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.461061001 CET49776443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.461076021 CET4434977613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.981715918 CET4434977613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.981749058 CET4434977613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.981801033 CET49776443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.981815100 CET4434977613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.981858969 CET49776443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:42.982474089 CET49776443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.092029095 CET49789443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.092045069 CET4434978913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.092118025 CET49789443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.092736959 CET49789443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.092751980 CET4434978913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.093252897 CET49790443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.093264103 CET4434979013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.093377113 CET49790443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.093534946 CET49790443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.093545914 CET4434979013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.239350080 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.239373922 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.239454031 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.239758015 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.239778996 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.100739002 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.100838900 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.102907896 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.102912903 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.103152990 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.103982925 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.147330999 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.487921953 CET4434979013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.489268064 CET49790443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.489290953 CET4434979013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.530426979 CET4434978913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.531728983 CET49789443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.531745911 CET4434978913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.818393946 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.864293098 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868637085 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868662119 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868706942 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868726969 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868736029 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868746996 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868778944 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868784904 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:45.868820906 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.053431988 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.053484917 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.053622961 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.053632021 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.053762913 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.063008070 CET4434978913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.063090086 CET4434978913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.063193083 CET49789443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.063870907 CET49789443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.097001076 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.097047091 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.097141981 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.097148895 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.097244978 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.228564024 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.228641033 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.228809118 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.228838921 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.252827883 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.252873898 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.253067970 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.253076077 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.276890993 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.276933908 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.276978970 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.276987076 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.277015924 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.296438932 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.296480894 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.296518087 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.296524048 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.296556950 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.348629951 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.427256107 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.427278996 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.427341938 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.427366972 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.427378893 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.427387953 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.427416086 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.427439928 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.442502022 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.442523956 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.442563057 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.442583084 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.442610025 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.442629099 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.442665100 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.455701113 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.455745935 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.455792904 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.455799103 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.455817938 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.455842018 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.471262932 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.471309900 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.471429110 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.471435070 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.471493959 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.486320019 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.486362934 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.486443043 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.486450911 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.486479998 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.486501932 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.500811100 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.500857115 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.500900984 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.500906944 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.500952005 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.515873909 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.515923023 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.516048908 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.516057968 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.516067982 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.516109943 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.622987986 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.623039961 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.623102903 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.623131990 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.623143911 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.623176098 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.634394884 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.634435892 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.634505033 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.634515047 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.634541988 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.634566069 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.644584894 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.644629955 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.644681931 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.644689083 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.644721031 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.644741058 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.652471066 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.652538061 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.652554035 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.652563095 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.652621031 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.661844969 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.661891937 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.661942959 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.661951065 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.661983013 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.662005901 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.672749043 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.672808886 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.672895908 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.672904015 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.672992945 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.682800055 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.682820082 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.682945967 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.682954073 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.683048010 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.693648100 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.693667889 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.693777084 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.693783998 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.693856955 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.704472065 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.704492092 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.704602957 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.704610109 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.704709053 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.826061964 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.826141119 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.826168060 CET44349792108.158.75.12192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.826178074 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.826220989 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.826667070 CET49792443192.168.2.9108.158.75.12
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:28.089404106 CET49894443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:28.089447975 CET4434989413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:28.089512110 CET49894443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:28.090097904 CET49894443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:28.090121984 CET4434989413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.394032001 CET4434989413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.422210932 CET49894443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.422219038 CET4434989413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.938831091 CET4434989413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.989636898 CET49894443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.989654064 CET4434989413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.990106106 CET49894443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.990183115 CET4434989413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.990237951 CET49894443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.990951061 CET49904443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.990998983 CET4434990413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.991061926 CET49904443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.991326094 CET49904443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:30.991338015 CET4434990413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.364337921 CET4434990413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.364418030 CET49904443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.370075941 CET49904443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.370084047 CET4434990413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.370397091 CET4434990413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.372383118 CET49904443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.419337034 CET4434990413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.895019054 CET4434990413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.895096064 CET4434990413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.895152092 CET49904443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.895768881 CET49904443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.662225962 CET4434979013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.662297010 CET4434979013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.662344933 CET49790443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.662364960 CET4434979013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.662442923 CET4434979013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.662489891 CET49790443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.663136959 CET49790443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.695024014 CET49923443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.695069075 CET4434992313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.695132971 CET49923443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.697056055 CET49923443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.697072029 CET4434992313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.697279930 CET49924443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.697321892 CET4434992413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.697413921 CET49924443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.697706938 CET49924443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.697724104 CET4434992413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.194746971 CET4434992413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.196399927 CET49924443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.196418047 CET4434992413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.389442921 CET4434992313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.390908957 CET49923443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.390928030 CET4434992313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.911756992 CET4434992313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.911833048 CET4434992313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.911874056 CET49923443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.912265062 CET49923443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.701209068 CET49924443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.701348066 CET4434992413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.701452971 CET49924443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.716867924 CET49942443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.716902018 CET4434994213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.716965914 CET49942443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.717762947 CET49942443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.717776060 CET4434994213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.732096910 CET49943443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.732127905 CET4434994313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.732670069 CET49943443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.732950926 CET49943443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.732974052 CET4434994313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.030694008 CET4434994213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.030793905 CET49942443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.032442093 CET49942443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.032449961 CET4434994213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.032689095 CET4434994213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.033601999 CET49942443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.075330973 CET4434994213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.148783922 CET4434994313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.148906946 CET49943443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.150616884 CET49943443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.150628090 CET4434994313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.150949955 CET4434994313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.151809931 CET49943443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.199341059 CET4434994313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.545084000 CET4434994213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.545151949 CET4434994213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.545211077 CET49942443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.563839912 CET49942443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.564856052 CET49952443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.564901114 CET4434995213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.564961910 CET49952443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.565193892 CET49952443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.565205097 CET4434995213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.684489965 CET4434994313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.684664011 CET4434994313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.684753895 CET49943443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.685194016 CET49943443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:50.955231905 CET4434995213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:50.957066059 CET49952443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:50.957087994 CET4434995213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.483495951 CET4434995213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.483584881 CET4434995213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.484113932 CET49952443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.484651089 CET49952443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.487894058 CET49963443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.487942934 CET4434996313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.488023996 CET49963443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.488378048 CET49963443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.488390923 CET4434996313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.488832951 CET49964443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.488872051 CET4434996413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.488960028 CET49964443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.489156008 CET49964443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.489168882 CET4434996413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.814171076 CET4434996313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.815640926 CET49963443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.815661907 CET4434996313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.889590979 CET4434996413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.891050100 CET49964443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.891069889 CET4434996413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.331554890 CET4434996313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.331739902 CET4434996313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.332106113 CET49963443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.332146883 CET49963443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.412458897 CET4434996413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.412471056 CET4434996413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.412528992 CET4434996413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.412558079 CET49964443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.413142920 CET49964443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.413378954 CET49964443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.420639038 CET49972443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.420717955 CET4434997213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.422611952 CET49972443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.423582077 CET49972443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.423619032 CET4434997213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.424163103 CET49973443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.424197912 CET4434997313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.424493074 CET49973443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.424979925 CET49973443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.424993992 CET4434997313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.865282059 CET4434997313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.866887093 CET49973443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.866904020 CET4434997313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.134387016 CET4434997213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.135598898 CET49972443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.135626078 CET4434997213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.406596899 CET49973443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.406686068 CET4434997313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.406750917 CET49973443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.414083004 CET49983443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.414091110 CET4434998313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.414141893 CET49983443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.414482117 CET49983443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.414493084 CET4434998313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.658761024 CET4434997213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.658865929 CET4434997213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.658941984 CET49972443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.659476995 CET49972443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.761428118 CET49985443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.761483908 CET4434998513.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.761564970 CET49985443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.762842894 CET49985443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.762862921 CET4434998513.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.855025053 CET4434998313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.855096102 CET49983443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.858104944 CET49983443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.858119965 CET4434998313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.858474970 CET4434998313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.859720945 CET49983443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.903341055 CET4434998313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.291380882 CET4434998513.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.291450977 CET49985443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.293699980 CET49985443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.293708086 CET4434998513.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.293962002 CET4434998513.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.295125008 CET49985443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.339340925 CET4434998513.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.433732986 CET4434998313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.433931112 CET4434998313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.434129953 CET49983443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.434698105 CET49983443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.873420954 CET4434998513.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.873490095 CET4434998513.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.873617887 CET49985443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.874547005 CET49985443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.668380022 CET50003443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.668422937 CET4435000313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.668487072 CET50003443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.674500942 CET50004443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.674539089 CET4435000413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.674793959 CET50004443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.676075935 CET50003443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.676096916 CET4435000313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.676537037 CET50004443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.676562071 CET4435000413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.689733982 CET50003443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.735325098 CET4435000313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.119906902 CET4435000313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.119982004 CET50003443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.124809980 CET4435000413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.124888897 CET50004443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.127154112 CET50004443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.127166033 CET4435000413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.127427101 CET4435000413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.128530979 CET50004443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.163564920 CET50013443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.163594961 CET4435001313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.163661003 CET50013443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.163918972 CET50013443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.163930893 CET4435001313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.171329021 CET4435000413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.660377026 CET4435000413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.660450935 CET4435000413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.660532951 CET50004443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.661957979 CET50004443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.661959887 CET50014443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.662004948 CET4435001413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.662084103 CET50014443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.662571907 CET50014443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.662586927 CET4435001413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.596786022 CET4435001313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.598192930 CET50013443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.598208904 CET4435001313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.040013075 CET4435001413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.041599989 CET50014443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.041620970 CET4435001413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.174036980 CET4435001313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.174117088 CET4435001313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.174312115 CET50013443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.174736977 CET50013443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.175606012 CET50022443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.175648928 CET4435002213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.176181078 CET50022443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.176181078 CET50022443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.176218987 CET4435002213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.563517094 CET4435001413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.563601017 CET4435001413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.563658953 CET50014443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.567174911 CET50014443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.570125103 CET50023443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.570164919 CET4435002313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.570236921 CET50023443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.570816040 CET50023443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.570833921 CET4435002313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.765846968 CET4435002213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.767337084 CET50022443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.767345905 CET4435002213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.880208969 CET4435002313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.882096052 CET50023443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.882122993 CET4435002313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.298907995 CET4435002213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.299108982 CET4435002213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.299196959 CET50022443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.299695969 CET50022443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.300751925 CET50037443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.300784111 CET4435003713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.300848007 CET50037443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.301099062 CET50037443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.301112890 CET4435003713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.394391060 CET4435002313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.394463062 CET4435002313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.394598007 CET50023443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.397788048 CET50023443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.523632050 CET50037443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.526484966 CET50043443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.526495934 CET50044443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.526523113 CET4435004313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.526541948 CET4435004413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.526662111 CET50043443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.526837111 CET50044443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.530427933 CET50043443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.530428886 CET50044443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.530448914 CET4435004413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.530457973 CET4435004313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.567344904 CET4435003713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.113081932 CET50044443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.113183975 CET50047443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.113226891 CET4435004713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.113390923 CET50047443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.113832951 CET50047443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.113847971 CET4435004713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.155354023 CET4435004413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.398395061 CET50047443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.400587082 CET50048443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.400625944 CET4435004813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.400677919 CET50048443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.401077986 CET50048443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.401093960 CET4435004813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.415299892 CET50048443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.417028904 CET50049443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.417125940 CET4435004913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.417193890 CET50049443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.417516947 CET50049443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.417556047 CET4435004913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.439358950 CET4435004713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.459337950 CET4435004813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.465842962 CET50049443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.466861963 CET50050443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.466901064 CET4435005013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.466958046 CET50050443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.467478991 CET50050443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.467490911 CET4435005013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.473892927 CET50050443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.476352930 CET50051443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.476375103 CET4435005113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.476440907 CET50051443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.476840019 CET50051443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.476855040 CET4435005113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.511327982 CET4435004913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.515347958 CET4435005013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.694175005 CET4435003713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.694467068 CET4435003713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.694581032 CET50037443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.694581032 CET50037443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.913490057 CET4435004313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.913599014 CET50043443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.915055990 CET4435004413.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.915136099 CET50044443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.915136099 CET50044443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.920654058 CET50043443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.920686960 CET4435004313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.921075106 CET4435004313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.924932957 CET50043443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.967370987 CET4435004313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.447995901 CET4435004313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.448081017 CET4435004313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.448178053 CET50043443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.501326084 CET4435004713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.501447916 CET50047443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.501447916 CET50047443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.725079060 CET4435004813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.725184917 CET50048443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.725184917 CET50048443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.806137085 CET4435004913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.806241989 CET50049443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.806241989 CET50049443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.867727041 CET4435005113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.867811918 CET50051443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.892889023 CET50043443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.894040108 CET50061443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.894087076 CET4435006113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.894345045 CET50061443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.894948959 CET50061443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.894961119 CET4435006113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.897969007 CET50051443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.897999048 CET4435005113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.898313999 CET4435005113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.899703026 CET50051443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.918276072 CET4435005013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.918353081 CET50050443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.918353081 CET50050443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:14.943351984 CET4435005113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.423487902 CET4435005113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.423566103 CET4435005113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.426826000 CET50051443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.427239895 CET50051443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.428360939 CET50062443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.428410053 CET4435006213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.428535938 CET50062443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.434648991 CET50062443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.434669018 CET4435006213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.207834959 CET4435006113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.209110022 CET50061443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.209142923 CET4435006113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.721945047 CET4435006113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.722031116 CET4435006113.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.722136021 CET50061443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.722759962 CET50061443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.726684093 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.726721048 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.726839066 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.727148056 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.727160931 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.809916973 CET4435006213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.811331987 CET50062443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:17.811348915 CET4435006213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.334630966 CET4435006213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.396264076 CET50062443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.396289110 CET4435006213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.397083998 CET50062443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.397147894 CET4435006213.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.397257090 CET50062443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.398902893 CET50068443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.398940086 CET4435006813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.399044991 CET50068443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.399540901 CET50068443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.399553061 CET4435006813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.247827053 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.247916937 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.250678062 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.250684977 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.251029015 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.254314899 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.299345970 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.768414974 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.810101986 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.810112000 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.810523987 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.810575962 CET4435006713.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.810663939 CET50067443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.811511040 CET50073443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.811547995 CET4435007313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.811621904 CET50073443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.811923981 CET50073443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.811934948 CET4435007313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.968655109 CET4435006813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.968765020 CET50068443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.970803022 CET50068443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.970808983 CET4435006813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.971049070 CET4435006813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:20.971910000 CET50068443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.019339085 CET4435006813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.492125988 CET4435006813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.492204905 CET4435006813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.492279053 CET50068443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.492803097 CET50068443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.493555069 CET50076443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.493583918 CET4435007613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.493741989 CET50076443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.494364977 CET50076443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.494383097 CET4435007613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.183303118 CET4435007313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.183406115 CET50073443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.185524940 CET50073443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.185533047 CET4435007313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.186356068 CET4435007313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.187349081 CET50073443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.231337070 CET4435007313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.708245039 CET4435007313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.708429098 CET4435007313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.708559990 CET50073443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:23.879853010 CET4435007613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:24.005577087 CET50076443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.379333019 CET50073443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.379606009 CET50078443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.379642010 CET4435007813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.379817963 CET50078443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.380373955 CET50078443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.380392075 CET4435007813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.381158113 CET50076443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.381176949 CET4435007613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.907851934 CET4435007613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.907926083 CET4435007613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.908081055 CET50076443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.909106016 CET50076443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.909136057 CET50080443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.909171104 CET4435008013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.909250975 CET50080443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.909473896 CET50080443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.909502983 CET4435008013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:27.698868990 CET4435007813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:27.700225115 CET50078443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:27.700248957 CET4435007813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.213392973 CET4435007813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.213474989 CET4435007813.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.213567019 CET50078443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.214023113 CET50078443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.214622974 CET50083443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.214663982 CET4435008313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.214787960 CET50083443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.214956999 CET50083443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.214972019 CET4435008313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.347678900 CET4435008013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.350115061 CET50080443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.350135088 CET4435008013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.883095980 CET4435008013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.883167982 CET4435008013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.883297920 CET50080443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.883902073 CET50080443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.884258986 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.884314060 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.884380102 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.884654999 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.884676933 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.592726946 CET4435008313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.594295025 CET50083443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.594306946 CET4435008313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.115019083 CET4435008313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.161902905 CET50083443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.161912918 CET4435008313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.162406921 CET50083443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.162452936 CET4435008313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.162533045 CET50083443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.162898064 CET50089443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.162930012 CET4435008913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.163033009 CET50089443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.163572073 CET50089443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.163583994 CET4435008913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.193063021 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.193149090 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.196578026 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.196593046 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.196834087 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.197922945 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.243330956 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.711648941 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.711678982 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.711736917 CET4435008613.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.711776018 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.711903095 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.712275028 CET50086443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.713731050 CET50090443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.713747025 CET4435009013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.713903904 CET50090443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.716780901 CET50090443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:31.716797113 CET4435009013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.551424026 CET4435008913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.551558018 CET50089443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.562546015 CET50089443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.562560081 CET4435008913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.562933922 CET4435008913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.568581104 CET50089443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.611334085 CET4435008913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.044657946 CET4435009013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.046272993 CET50090443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.046334028 CET4435009013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.090529919 CET4435008913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.090606928 CET4435008913.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.090802908 CET50089443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.091517925 CET50089443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.091536045 CET50093443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.091584921 CET4435009313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.093193054 CET50093443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.095608950 CET50093443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.095623970 CET4435009313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.564312935 CET4435009013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.564378977 CET4435009013.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.564471006 CET50090443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:34.565226078 CET50090443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:36.541673899 CET4435009313.232.67.198192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:36.542764902 CET50093443192.168.2.913.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:36.542788029 CET4435009313.232.67.198192.168.2.9

                                                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:22.528884888 CET6382253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:32.788486004 CET5603853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.094491959 CET6209253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.232072115 CET53620921.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.107248068 CET5713353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.099895000 CET5586953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.237910032 CET53558691.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.950958014 CET5892653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.615700960 CET5651353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.730676889 CET6405853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.568622112 CET5467953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.979974031 CET6064753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.515295982 CET6113253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.684544086 CET5008153192.168.2.91.1.1.1

                                                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:22.528884888 CET192.168.2.91.1.1.10x9665Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:32.788486004 CET192.168.2.91.1.1.10x30a2Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.094491959 CET192.168.2.91.1.1.10xc47eStandard query (0)ps.pndsn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.107248068 CET192.168.2.91.1.1.10x36d6Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.099895000 CET192.168.2.91.1.1.10xdeb1Standard query (0)ps.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.950958014 CET192.168.2.91.1.1.10xb072Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.615700960 CET192.168.2.91.1.1.10x26beStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.730676889 CET192.168.2.91.1.1.10x9e0Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.568622112 CET192.168.2.91.1.1.10xd2d8Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.979974031 CET192.168.2.91.1.1.10x63b4Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.515295982 CET192.168.2.91.1.1.10xad2dStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.684544086 CET192.168.2.91.1.1.10x29a1Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:22.667788982 CET1.1.1.1192.168.2.90x9665No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:29.761888027 CET1.1.1.1192.168.2.90xb6c2No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:29.761888027 CET1.1.1.1192.168.2.90xb6c2No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:31.914154053 CET1.1.1.1192.168.2.90xce0No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:31.914154053 CET1.1.1.1192.168.2.90xce0No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:31.931301117 CET1.1.1.1192.168.2.90x5b9dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:31.931301117 CET1.1.1.1192.168.2.90x5b9dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:32.925633907 CET1.1.1.1192.168.2.90x30a2No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.232072115 CET1.1.1.1192.168.2.90xc47eNo error (0)ps.pndsn.com13.232.67.198A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.232072115 CET1.1.1.1192.168.2.90xc47eNo error (0)ps.pndsn.com13.232.67.199A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.245744944 CET1.1.1.1192.168.2.90x36d6No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.237910032 CET1.1.1.1192.168.2.90xdeb1No error (0)ps.atera.comd25btwd9wax8gu.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.237910032 CET1.1.1.1192.168.2.90xdeb1No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.12A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.237910032 CET1.1.1.1192.168.2.90xdeb1No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.4A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.237910032 CET1.1.1.1192.168.2.90xdeb1No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.237910032 CET1.1.1.1192.168.2.90xdeb1No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.146215916 CET1.1.1.1192.168.2.90xa110No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.146215916 CET1.1.1.1192.168.2.90xa110No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.930794001 CET1.1.1.1192.168.2.90x9594No error (0)windowsupdatebg.s.llnwi.net178.79.238.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.930794001 CET1.1.1.1192.168.2.90x9594No error (0)windowsupdatebg.s.llnwi.net178.79.238.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:52.263957977 CET1.1.1.1192.168.2.90xb072No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.931299925 CET1.1.1.1192.168.2.90x26beNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:45.868788958 CET1.1.1.1192.168.2.90x9e0No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:48.707425117 CET1.1.1.1192.168.2.90xd2d8No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.117737055 CET1.1.1.1192.168.2.90x63b4No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.652882099 CET1.1.1.1192.168.2.90xad2dNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.561975956 CET1.1.1.1192.168.2.90x6adaNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:11.561975956 CET1.1.1.1192.168.2.90x6adaNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.978228092 CET1.1.1.1192.168.2.90x29a1No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                      • ps.pndsn.com
                                                                                                                                                                                                                                                                      • ps.atera.com

                                                                                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      0192.168.2.94976913.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:39 UTC364OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      2024-11-24 10:15:39 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:39 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:39 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 33 39 33 32 30 30 35 30 31 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324433393200501","r":31},"m":[]}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      1192.168.2.94976813.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:39 UTC183OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      2024-11-24 10:15:39 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:39 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:39 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 33 39 35 37 31 37 38 32 32 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324433395717822]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      2192.168.2.94977613.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:42 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:15:42 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:42 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 1874
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:42 UTC1874INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 31 38 36 32 32 37 33 30 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 62 64 30 36 30 39 37 39 2d 66 37 31 63 2d 34 65 31 36 2d 61 31 65 30 2d 64 66 36 30 33 33 66 35 63 31 65 62 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 31 38 36 32 32 37 33 30 22 2c 22 72 22 3a 32 35 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 63 61 34 66 36 65 62 37 2d 64 61 38 38 2d 34 31 31 39 2d 38 64 37 32 2d 31 36 32 36 36 65 65 62 35 64 64 34 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 34 30 64 37 38 38 31
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324433418622730","r":31},"m":[{"a":"2","f":0,"i":"bd060979-f71c-4e16-a1e0-df6033f5c1eb","p":{"t":"17324433418622730","r":25},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"ca4f6eb7-da88-4119-8d72-16266eeb5dd4","d":{"CommandId":"40d7881


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      3192.168.2.949792108.158.75.124437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:45 UTC212OUTGET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.atera.com
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      2024-11-24 10:15:45 UTC671INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                      Content-Length: 384542
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-MD5: SgmofSAE2sSwBofpyfFQNg==
                                                                                                                                                                                                                                                                      Last-Modified: Tue, 12 Nov 2024 07:13:54 GMT
                                                                                                                                                                                                                                                                      ETag: 0x8DD02E9910FA268
                                                                                                                                                                                                                                                                      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                      x-ms-request-id: 4f2b2192-601e-007b-57cf-3c3f56000000
                                                                                                                                                                                                                                                                      x-ms-version: 2009-09-19
                                                                                                                                                                                                                                                                      x-ms-lease-status: unlocked
                                                                                                                                                                                                                                                                      x-ms-blob-type: BlockBlob
                                                                                                                                                                                                                                                                      Date: Sat, 23 Nov 2024 11:11:18 GMT
                                                                                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                                                                                      X-Cache: Hit from cloudfront
                                                                                                                                                                                                                                                                      Via: 1.1 6ee57430ba13d2dcea3397c03edd349a.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: BAH53-P2
                                                                                                                                                                                                                                                                      X-Amz-Cf-Id: A744dihvtyxWJgyhNOM3w_WoFsDbTKxC0xK2h9K8VuRedmVGO8ZozA==
                                                                                                                                                                                                                                                                      Age: 83066
                                                                                                                                                                                                                                                                      2024-11-24 10:15:45 UTC16384INData Raw: 50 4b 03 04 2d 00 09 08 08 00 b9 39 6c 59 b5 ba a1 7d ff ff ff ff ff ff ff ff 3d 00 14 00 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2f 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 65 78 65 01 00 10 00 28 b6 02 00 00 00 00 00 df 1b 01 00 00 00 00 00 e3 12 a7 01 2c f1 1b de 31 c7 8a 39 3e 6b 73 27 36 d0 73 2b 61 ce ce e3 d2 b6 cb 71 21 62 f9 4e 18 e5 1e a6 ed c3 a5 43 de 14 0c f6 81 ff 20 24 ff d5 3a 2d 75 b6 26 8e d9 8b a4 ae e1 2e bd 40 7e 84 03 06 21 73 f7 1f ae 94 a0 7d ab a6 99 3b a0 b8 5f e3 30 9a 41 f2 ec e6 d0 a8 20 53 e8 c2 17 fd 08 50 b9 08 97 28 2f f1 4c 63 d3 c6 76 04 21 b5 c3 d7 bb be b4 9c 43 48 ed cb 7f 13 28 f5 12 6a cb 1b 54 89 c5 9d 34 6d 19 74 79 dc 8f 06
                                                                                                                                                                                                                                                                      Data Ascii: PK-9lY}=AgentPackageAgentInformation/AgentPackageAgentInformation.exe(,19>ks'6s+aq!bNC $:-u&.@~!s};_0A SP(/Lcv!CH(jT4mty
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC16384INData Raw: f0 b6 9f 02 d6 76 cc ce d9 09 94 a1 26 eb 74 90 a7 fe 9a e0 1d b1 f9 72 42 b0 b7 ff fe 39 89 7c f5 1f 06 8d 10 42 56 d9 13 08 e2 1e d8 65 d9 67 d6 9e a5 ed 34 11 20 6e 6f 77 99 f4 2e 5e ce 9b 4b d2 4f d5 54 f2 c0 de c0 75 c7 a5 c9 62 7e 38 d8 05 2e fc aa 67 fd f2 6a 55 d4 a9 b7 f3 02 91 a2 50 a9 9a b0 9b e0 1b 6f 22 1a af 80 b3 8a 65 25 55 67 b6 03 d4 4b 74 22 db 33 7e e5 c3 d2 a3 dc 40 ea bf d2 9b df de 09 3b 4b 7a 72 a5 c5 6a 55 ce b1 f2 83 54 49 a2 b1 e5 7e da 7c 9a 01 ff 90 0d 77 4d 90 4b a1 5a b2 74 ce aa 9d 81 e9 70 f0 82 30 43 fd fa df fd 3f 8d 48 61 bd 8f fb 5f 89 9a 56 2b 3e 95 86 7a 34 65 a0 6b 9c 17 3d 00 14 62 41 52 f2 ef 9c f8 4a 81 1f 31 38 9e 82 42 67 c8 7b 02 78 04 0b 69 83 eb da 25 7a a1 0e 8b c8 51 a6 6e 66 9d a4 38 8c 58 97 12 7f b0 15
                                                                                                                                                                                                                                                                      Data Ascii: v&trB9|BVeg4 now.^KOTub~8.gjUPo"e%UgKt"3~@;KzrjUTI~|wMKZtp0C?Ha_V+>z4ek=bARJ18Bg{xi%zQnf8X
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC16384INData Raw: 96 fe 85 11 dd 8d d3 ae f0 08 67 57 7f 06 96 e6 35 8a 97 3a 21 9f 00 cc 25 cf d0 e7 7d 2a dd cd 56 2b 0d 3e 05 db 84 f2 84 83 d4 65 bc 9b 45 1b 69 99 82 c3 a0 18 05 36 a9 e7 4b 8a e5 2a bd 46 58 3c a4 a1 2e c5 e3 da b5 a5 f9 84 58 d4 30 fd 03 3e 84 a3 a8 84 e1 e8 6b 8a a1 b5 49 57 f8 59 c2 a0 80 c8 dd 72 c6 94 85 aa c7 bd 26 ca e2 66 dc 3a ec 7f 98 99 42 18 6c 98 4b ba 4e d8 42 f2 2f fd bc 21 89 4a 50 84 b3 9d fa d5 3e d9 3c 20 91 7d 2e d8 fe c8 1e be 85 63 db 49 11 d7 f7 7b 8f 7a c2 39 6f 7e 7d 1a 86 98 1f da 6b 4a 7e b3 0f d8 99 0b c6 a2 11 e0 f5 32 de f1 9b d6 5f fa 27 80 4f 6e a5 84 70 f6 bc 0a 43 29 4b 6e 3e 00 0c 68 18 16 ab 3e d7 f4 97 5a 14 d0 9d d2 4e 01 fb 2f 0a ca 31 8f 2f a4 fa 21 4e 96 52 db 42 2d 8e d8 18 b5 0a 62 a1 4e a6 56 89 f7 26 8d b6
                                                                                                                                                                                                                                                                      Data Ascii: gW5:!%}*V+>eEi6K*FX<.X0>kIWYr&f:BlKNB/!JP>< }.cI{z9o~}kJ~2_'OnpC)Kn>h>ZN/1/!NRB-bNV&
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC14808INData Raw: 41 64 50 ca 35 e9 de 0b e0 37 6e 26 d7 3d 22 10 9a 01 a9 57 87 60 df 1a 50 85 78 b5 42 15 26 dc 70 93 89 14 67 fd 25 32 3a 19 22 ba 15 0d b7 92 1f 35 b7 2c 1b c7 dd d3 5f 5e a7 5f c1 51 30 e0 af 93 60 8e 6b 7b a5 87 43 30 6a de b3 3e b9 61 20 e4 ed 0c d6 9c 19 e5 75 32 fc b5 bf e3 09 0a bd 79 92 61 6e 93 46 5d 56 71 c8 be 81 e9 75 7d c7 be 6d fb a5 3a 4f 7c 4d ba 40 2d 48 98 df b3 e5 56 4d 23 23 d4 16 69 23 e7 29 35 4c 5d fa a7 57 d7 fa e5 de 49 87 2e c5 67 a2 b6 fb 45 58 c5 ac be 75 ac fb a6 b1 8a 78 72 7e 53 80 d2 6e 40 36 e0 7d b1 a6 ae e6 bd 67 64 fb 6e 13 37 be d4 c5 1f 5f 70 c6 15 7f 5a ac c0 1e d2 ec 11 d3 43 7e 1b 8a e4 56 7d 30 bf c0 e4 ad 74 4b bf 6d 71 a7 15 a0 b9 d3 d8 90 bf f1 4c 1c f4 3e 8a ec 5f 95 27 b8 e2 39 8e 30 b1 5b f9 8b 87 b8 f3 d7
                                                                                                                                                                                                                                                                      Data Ascii: AdP57n&="W`PxB&pg%2:"5,_^_Q0`k{C0j>a u2yanF]Vqu}m:O|M@-HVM##i#)5L]WI.gEXuxr~Sn@6}gdn7_pZC~V}0tKmqL>_'90[
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC16384INData Raw: 19 8e 09 15 fb 6f 16 0f 68 6b 0b c7 f5 6a df 2f 22 ed 66 46 b3 88 1f 03 27 06 f4 91 e6 f1 fc a5 04 15 c7 21 15 9d 82 58 59 b5 9e 54 54 ea 91 51 a5 29 4d 06 8f 08 a6 c0 40 24 4c d2 e7 e6 9e c1 94 f1 3e cb 24 88 6b 47 bf dc 69 e6 0a 32 32 9e 2f 47 f9 d2 51 52 57 fa 73 f1 93 1e 76 c5 a9 63 a0 01 de e5 68 80 4a 4c 11 9f fd 5d 6b 74 ad 2f 6f 07 ff d6 31 88 b2 70 89 01 ae 53 d0 bf 0e 2f 5d 84 3c 17 7b e7 ad 5a ef ab d5 90 53 b5 47 47 cc 8b 51 78 72 11 be e3 70 7a ea b3 73 e4 b4 a4 a9 c9 40 3f 77 86 9a c2 39 9b 5f 45 61 86 ca 90 b0 f3 43 6c bb d7 26 0a d4 2d 7c c0 59 8b 53 14 c3 86 ae c8 a9 87 da d4 bd 0e 18 07 7f b3 e5 e8 2a 3f 37 70 81 b9 f3 8a 5d 07 1e 64 81 ab d9 33 72 d2 0f 19 60 a2 5a db c3 e5 96 19 d5 24 27 18 34 38 19 b1 b9 5d 53 0c 21 fa c3 81 49 6d b2
                                                                                                                                                                                                                                                                      Data Ascii: ohkj/"fF'!XYTTQ)M@$L>$kGi22/GQRWsvchJL]kt/o1pS/]<{ZSGGQxrpzs@?w9_EaCl&-|YS*?7p]d3r`Z$'48]S!Im
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC16384INData Raw: 81 a5 bb 6d 8b 0c d5 34 e5 8f e7 d1 52 4d e9 f8 2a f1 e4 1b 41 95 b9 fb 73 db 89 ad b6 10 25 cd ba 03 72 4b 06 c0 cb 11 f6 27 fb be 3e de ee f6 05 02 c4 a3 29 91 d8 db 9d 53 d1 ba 0f b2 8c 80 c0 1e 47 37 55 df c1 b4 16 f7 b9 73 5b 16 17 89 60 fa 45 e0 90 02 5f d5 fd 0c a8 f6 db 33 30 72 47 4f 72 17 7b 96 89 84 22 3b c7 bb 25 3b 7e 15 df ab 90 07 76 e8 8d 5e a3 fd 7c 0c 5f b0 59 db b3 3b d3 cc 8d b5 c7 1f 44 44 7e 89 7d fc 1d bc 60 17 93 1b 76 ac af f3 18 15 26 52 cb 41 f6 27 cb a8 04 8a 8c cc 9e 55 b2 51 14 6e 23 9f e7 0c 61 c2 eb a6 51 3d b6 86 85 a5 76 8f 1c f8 45 ad ad b3 48 6f c7 cf ff fe 2f 3c 1b 53 7c fd 6d 40 bc 55 99 92 49 88 6e 16 ae c1 3d 40 ae 00 5b 32 cf 39 88 df 06 09 da af ef c3 35 92 6d b1 cc 5b cb 60 7f a9 6c dc 5c 51 57 d3 2c 71 46 ba d5
                                                                                                                                                                                                                                                                      Data Ascii: m4RM*As%rK'>)SG7Us[`E_30rGOr{";%;~v^|_Y;DD~}`v&RA'UQn#aQ=vEHo/<S|m@UIn=@[295m[`l\QW,qF
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC16384INData Raw: 42 6f 97 44 d5 11 95 40 03 c9 3b 1a 83 34 ab de 78 4b 50 54 c4 13 51 e7 f1 91 93 49 6b 41 29 09 80 bf 2e e2 98 5a 65 cd ce a3 31 25 ee 0d fb 28 46 2c 0d ca d5 65 a8 c0 43 d5 f2 20 f3 ba ed e8 ca 15 88 e3 ab 6e 8d 6c 12 c0 12 b4 7d 96 13 5c 14 5a a2 80 b3 17 db 48 52 f1 2d bf c9 cd 20 43 e4 1a 08 01 66 1c 30 a5 18 11 45 16 e1 13 1a ed 26 ed fa 2b 75 4c b1 9f 90 be 94 13 c0 42 81 df d2 72 d9 6b 24 5b bb e2 da a0 81 34 eb 32 5c 67 0d 4d dd 9e fb d0 2d 55 b4 f5 fd 52 23 fc df 46 45 56 7f 0b de ad 1d eb 38 c3 13 45 60 ed ad ae 92 de 40 fe 22 63 e8 87 80 5b 05 19 9f 54 29 bf 4f 01 59 6c de be e8 51 0f 07 02 4d 77 cd ca 75 9f e7 5c 44 c8 0f a2 12 9b 3f 80 1a 38 34 35 d9 f5 08 ca a3 6a bc b4 e2 2f ae 33 fd d0 3d be a7 23 a1 d1 18 35 82 c6 99 ac 8b 4c 10 c0 98 62
                                                                                                                                                                                                                                                                      Data Ascii: BoD@;4xKPTQIkA).Ze1%(F,eC nl}\ZHR- Cf0E&+uLBrk$[42\gM-UR#FEV8E`@"c[T)OYlQMwu\D?845j/3=#5Lb
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC16384INData Raw: cd ee fc 13 e7 db b8 12 5d c8 33 04 98 e2 1b ad 1d c4 ab 67 c6 a1 70 f0 54 3c 02 be d1 c4 fa a0 6b d0 f0 91 b7 f2 df fb 50 a4 91 9e 1c b1 01 58 11 76 31 a2 9f f0 13 9e f8 c9 e1 f7 8f 8b 93 b2 c3 16 77 bb d1 c5 0f cb 7a fc 0e 3c a0 0e 0d dd 4c 9b eb 7a 61 4a 78 d4 c6 35 ee 15 33 b1 a3 52 04 28 c2 d4 3d 07 c6 fd ee be b3 9a 88 0a 0f f9 5f bd bd 17 1d 01 b5 bb ac d1 50 f8 47 ba 71 fd ca 70 0f 97 c4 19 ed 09 87 ab f3 ab 7d ec c9 cc de 74 fb 3a fd 12 55 94 32 1f 68 44 a5 71 52 9e d6 fd 86 40 9c cf 34 c8 34 9f fa 59 46 b7 43 80 55 df 91 57 5a fd 46 64 18 f7 1b 12 90 3c 31 4a 7e e4 2a 4a 82 22 01 b7 d6 5a b1 84 7b e6 8f 48 f6 7b 77 79 d2 01 72 a5 8b e7 a1 12 6b 4b bf 2f 05 6b c4 3e b5 5c 29 1d 98 a8 6b 34 d3 89 37 fe d1 ff 87 cb 6f ff 33 2b 97 1e ff 7e 0a 36 5b
                                                                                                                                                                                                                                                                      Data Ascii: ]3gpT<kPXv1wz<LzaJx53R(=_PGqp}t:U2hDqR@44YFCUWZFd<1J~*J"Z{H{wyrkK/k>\)k47o3+~6[
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC16384INData Raw: b6 f9 b5 08 85 18 17 50 1c ab 7a 70 7a fc 9b f9 1e 45 8a 2b 85 0c b4 eb b3 a8 68 46 e2 e2 32 47 1f ff 09 d8 9a f2 f4 88 f9 03 b4 83 e0 37 7f 4a 79 82 30 b3 ca 16 fd 65 1c ba 53 cc 5e 55 69 d0 59 02 8b 4d d1 8b f4 a2 3a e5 9a ea 4d a2 c7 49 a5 ae 45 89 a0 c2 05 ee c6 8e 57 f8 99 f5 1d cb 5f ff d7 4a 88 fd ac 24 59 b2 86 6c 4a e7 5a b2 4c dd 2c 16 05 f3 0d 0b 39 79 ae 6e e4 24 d7 45 56 7d aa 5b d2 ca 6a e7 d4 12 0a b0 03 2e 3e 32 66 f3 11 c5 6c 0f ab 20 2d e0 de 03 85 16 c5 ab 3d fb 57 c2 92 73 c0 dd 32 da cf 1f 10 73 e7 4b b1 f5 bd 89 d5 f9 b0 c2 05 06 c7 78 22 d3 b6 0c bb 8f 5e 79 c7 a4 b2 d7 6f 84 41 4c 52 d4 fb ef 81 7b 86 00 77 c6 cc fc 99 79 7b 66 93 fd 56 14 e2 50 b1 7d 35 7d af 88 e3 91 0e 5b 3c a1 00 84 e7 d5 e9 26 37 61 b2 6d c1 84 47 1a 7d 31 a7
                                                                                                                                                                                                                                                                      Data Ascii: PzpzE+hF2G7Jy0eS^UiYM:MIEW_J$YlJZL,9yn$EV}[j.>2fl -=Ws2sKx"^yoALR{wy{fVP}5}[<&7amG}1
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC16384INData Raw: f8 02 a2 da 33 c2 cc 38 c1 1b b6 7e ea 86 6b 70 c8 15 ec fb 2d bb d9 51 c6 1d 23 19 f1 1c a3 d0 50 a1 fd e6 d2 01 ea 62 86 8a 12 7f a7 de 6e 5a 12 ff 6e 77 e8 08 ae c7 98 d8 7d 48 c8 51 ce 7c 8d 4a a9 b5 5f b3 26 96 ce ac 68 b9 09 f4 9c 95 c0 ed 0c 37 0d 64 86 4c a4 60 2c 96 3d c3 3a 0b f1 de 4c dc 35 b1 d8 77 48 46 32 d8 2f f6 30 9a 9c 0b 73 e6 a9 48 91 a5 f2 de c8 60 83 15 b2 2a ce 60 28 f2 dc 04 5f f0 93 e6 dc 7c fe 62 93 db 26 42 b6 ed 09 8c 5c ac d0 1d 52 f5 97 ff e1 c0 38 13 d6 41 53 46 74 d1 f6 47 6a f5 65 aa 58 73 d8 32 73 4d 4b cc 6c b6 47 18 6f 2c d5 40 52 07 a3 20 9e a1 3e 71 6c 4d 70 00 2f 71 40 ac ac a9 a6 81 df 37 40 7a c4 83 1a 98 dd 6b f8 4f d3 9a 0b db 78 44 67 97 4d e7 dd 4b 36 ee 4d aa 1e 9a 6c b0 e8 a6 31 44 99 d0 35 29 f7 54 78 29 4e
                                                                                                                                                                                                                                                                      Data Ascii: 38~kp-Q#PbnZnw}HQ|J_&h7dL`,=:L5wHF2/0sH`*`(_|b&B\R8ASFtGjeXs2sMKlGo,@R >qlMp/q@7@zkOxDgMK6Ml1D5)Tx)N


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      4192.168.2.94979013.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:45 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:38 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:38 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 1859
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:38 UTC1859INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 39 38 33 30 34 34 36 39 36 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 38 32 39 31 62 66 32 61 2d 33 31 61 32 2d 34 66 34 37 2d 38 62 64 36 2d 31 35 30 39 64 65 66 30 64 64 39 38 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 39 38 33 30 34 34 36 39 36 22 2c 22 72 22 3a 34 33 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 63 61 34 66 36 65 62 37 2d 64 61 38 38 2d 34 31 31 39 2d 38 64 37 32 2d 31 36 32 36 36 65 65 62 35 64 64 34 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 34 64 34 33 32 66 62
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324433983044696","r":31},"m":[{"a":"2","f":0,"i":"8291bf2a-31a2-4f47-8bd6-1509def0dd98","p":{"t":"17324433983044696","r":43},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"ca4f6eb7-da88-4119-8d72-16266eeb5dd4","d":{"CommandId":"4d432fb


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      5192.168.2.94978913.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:45 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=409cd075-04de-411d-8e74-cc204daabc39&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:45 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 34 35 38 30 34 32 34 33 39 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324433458042439]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      6192.168.2.94989413.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:30 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:30 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:30 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:30 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 39 30 36 38 35 36 34 39 30 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324433906856490]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      7192.168.2.94990413.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:33 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:33 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:33 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:33 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      8192.168.2.94992413.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:41 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      9192.168.2.94992313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:41 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:41 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:41 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:41 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 30 31 36 35 34 33 33 33 30 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434016543330]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      10192.168.2.94994213.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:48 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9401654a-318b-4070-93c4-7e976e6983d7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:48 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:48 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 74
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:48 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      11192.168.2.94994313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:48 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:48 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:48 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:48 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 30 38 34 33 35 36 35 34 31 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434084356541]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      12192.168.2.94995213.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:50 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:51 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:51 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:51 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 39 38 33 30 34 34 36 39 36 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324433983044696","r":31},"m":[]}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      13192.168.2.94996313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:53 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:54 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:54 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:54 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 31 34 30 38 31 38 36 36 34 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434140818664]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      14192.168.2.94996413.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:53 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:54 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:54 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 1894
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:54 UTC1894INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 31 33 36 34 37 34 34 30 31 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 66 31 63 37 62 34 30 35 2d 63 64 61 38 2d 34 64 38 37 2d 61 30 66 62 2d 39 38 62 61 63 61 37 66 63 65 34 64 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 31 33 36 34 37 34 34 30 31 22 2c 22 72 22 3a 34 31 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 63 61 34 66 36 65 62 37 2d 64 61 38 38 2d 34 31 31 39 2d 38 64 37 32 2d 31 36 32 36 36 65 65 62 35 64 64 34 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 34 37 62 65 38 33 30
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324434136474401","r":31},"m":[{"a":"2","f":0,"i":"f1c7b405-cda8-4d87-a0fb-98baca7fce4d","p":{"t":"17324434136474401","r":41},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"ca4f6eb7-da88-4119-8d72-16266eeb5dd4","d":{"CommandId":"47be830


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      15192.168.2.94997313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:56 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      16192.168.2.94997213.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:57 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:57 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:57 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:57 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 31 37 34 30 31 31 32 39 36 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434174011296]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      17192.168.2.94998313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:59 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:00 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:00 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:00 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      18192.168.2.94998513.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:00 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:00 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:00 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 74
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:00 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      19192.168.2.95000413.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:05 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:05 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:05 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:05 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 32 35 34 30 31 32 30 39 30 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434254012090]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      20192.168.2.95001313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:07 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f1a24d2c-ba5b-4f09-8ec6-e6a721939c6c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:08 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:07 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:08 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      21192.168.2.95001413.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:08 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=70950088-2434-4193-ae45-e02cd33c7b05&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:08 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:08 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 8
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:08 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      22192.168.2.95002213.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:10 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f891ad-5bb8-448f-80e4-1f3374b27f0a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:11 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:11 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:11 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 33 31 30 34 30 31 38 31 30 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434310401810]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      23192.168.2.95002313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:10 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:11 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:11 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 74
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:11 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      24192.168.2.95004313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:13 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:14 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:14 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 6
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:14 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      25192.168.2.95005113.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:14 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=333b9046-7952-41dc-bdec-09303be50cd7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:15 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:15 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:15 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      26192.168.2.95006113.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:17 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7a698f03-89f8-46f9-b174-e35a78aa0274&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:17 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:17 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:17 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 33 37 34 37 32 38 35 30 39 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434374728509]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      27192.168.2.95006213.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:17 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f92af507-a9f2-4685-b0f4-6803537136b8&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:18 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:18 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:18 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 33 37 31 39 35 30 30 36 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324434371950064","r":31},"m":[]}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      28192.168.2.95006713.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:20 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:20 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:20 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 74
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:20 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      29192.168.2.95006813.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:20 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:21 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:21 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:21 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 33 37 31 39 35 30 30 36 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324434371950064","r":31},"m":[]}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      30192.168.2.95007313.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:23 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:23 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:23 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:23 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 33 34 35 30 31 39 36 35 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434434501965]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      31192.168.2.95007613.232.67.1984437292C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:25 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c5270a6-0d03-478f-9521-4fd0a22c23ee&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:25 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:25 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:25 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 33 37 31 39 35 30 30 36 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324434371950064","r":31},"m":[]}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      32192.168.2.95007813.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:27 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d98288cb-7af6-4190-8ccc-d63bc9858741&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:28 UTC323INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:27 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 12
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:28 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      33192.168.2.95008013.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:28 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8c6407e7-1c76-4c34-98c8-2e3504ec6917&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:28 UTC323INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:28 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 28
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:28 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      34192.168.2.95008313.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:30 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:31 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:30 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:31 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 35 30 38 36 37 30 33 39 37 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434508670397]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      35192.168.2.95008613.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:31 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:31 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:31 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 1854
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:31 UTC1854INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 34 37 39 36 36 37 34 36 38 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 32 62 64 39 61 33 64 39 2d 66 39 62 39 2d 34 62 39 32 2d 61 30 33 63 2d 39 34 36 64 37 34 61 32 32 35 66 32 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 34 37 39 36 36 37 34 36 38 22 2c 22 72 22 3a 34 33 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 63 61 34 66 36 65 62 37 2d 64 61 38 38 2d 34 31 31 39 2d 38 64 37 32 2d 31 36 32 36 36 65 65 62 35 64 64 34 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 61 31 33 65 30 61 64
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324434479667468","r":31},"m":[{"a":"2","f":0,"i":"2bd9a3d9-f9b9-4b92-a03c-946d74a225f2","p":{"t":"17324434479667468","r":43},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"ca4f6eb7-da88-4119-8d72-16266eeb5dd4","d":{"CommandId":"a13e0ad


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      36192.168.2.95008913.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:33 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=969880c8-517d-439a-8ec9-8324c81e878e&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:34 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:33 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:34 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      37192.168.2.95009013.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:34 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:34 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:34 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:34 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 35 34 33 31 34 31 30 34 30 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434543141040]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      38192.168.2.95009313.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:36 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b7ef6ec-f467-4166-9556-35fba301ea49&tr=31&tt=17324434479667468&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com


                                                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                                                      Start time:05:15:17
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi"
                                                                                                                                                                                                                                                                      Imagebase:0x7ff7ef770000
                                                                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                                                                      Start time:05:15:18
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                      Imagebase:0x7ff7ef770000
                                                                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                                                      Start time:05:15:18
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding BEDEEE6C5E800683486D45882C70B787
                                                                                                                                                                                                                                                                      Imagebase:0xf70000
                                                                                                                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                                                                      Start time:05:15:18
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                                                      Imagebase:0x8d0000
                                                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                                                                      Start time:05:15:19
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI1766.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5969828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                                                      Imagebase:0x8d0000
                                                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                                                      Start time:05:15:25
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI2D41.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5975390 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                                                      Imagebase:0x8d0000
                                                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                                                                                      Start time:05:15:26
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000
                                                                                                                                                                                                                                                                      Imagebase:0xf70000
                                                                                                                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                                                                                                      Start time:05:15:26
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                                                      Imagebase:0x970000
                                                                                                                                                                                                                                                                      File size:47'104 bytes
                                                                                                                                                                                                                                                                      MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                                                                                      Start time:05:15:26
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                                                      Start time:05:15:26
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                                                      Imagebase:0x180000
                                                                                                                                                                                                                                                                      File size:139'776 bytes
                                                                                                                                                                                                                                                                      MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                                                                      Start time:05:15:26
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                                                      Imagebase:0x640000
                                                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                                                                      Start time:05:15:26
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                                                                                      Start time:05:15:27
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"
                                                                                                                                                                                                                                                                      Imagebase:0x14c07ff0000
                                                                                                                                                                                                                                                                      File size:145'968 bytes
                                                                                                                                                                                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1516184383.0000014C228FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1514461483.0000014C08440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1515070102.0000014C09F29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1515070102.0000014C09F52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1513193634.0000014C080CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1515070102.0000014C0A01C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1516159547.0000014C22890000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1513193634.0000014C080E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1515070102.0000014C09F54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1515070102.0000014C09FD2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1513193634.0000014C080A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1513193634.0000014C080A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1516958239.00007FF886A94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1515070102.0000014C09F2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1515070102.0000014C09EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                                                                                      Start time:05:15:31
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x294e9800000
                                                                                                                                                                                                                                                                      File size:145'968 bytes
                                                                                                                                                                                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.000002948006E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.0000029480702000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2631705568.00000294EAA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2630403750.00000294E9A78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2630403750.00000294E9AAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2630000184.00000294E98B0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2620087046.000000C589D95000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2630233935.00000294E9A10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2630403750.00000294E9A70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2630403750.00000294E9AF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                                                                      Start time:05:15:31
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                      Imagebase:0x7ff7110c0000
                                                                                                                                                                                                                                                                      File size:72'192 bytes
                                                                                                                                                                                                                                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                                                                      Start time:05:15:31
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                                                                                      Start time:05:15:32
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI489E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982406 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                                                      Imagebase:0x8d0000
                                                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                                                                                      Start time:05:15:50
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                                                                                                                                                                                                                                                                      Imagebase:0x177486b0000
                                                                                                                                                                                                                                                                      File size:177'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1735966351.0000017748910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1736416646.0000017748BC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1735966351.0000017748963000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1735966351.0000017748955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1735966351.00000177489A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1737064202.0000017749133000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1737064202.00000177490C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                                                                                      Start time:05:15:50
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:23
                                                                                                                                                                                                                                                                      Start time:05:16:38
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                                                                                                                                                                                                                                                                      Imagebase:0x1da9c9d0000
                                                                                                                                                                                                                                                                      File size:177'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2206503993.000001DA9D403000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2205662443.000001DA9CBD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2206503993.000001DA9D3D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2205662443.000001DA9CBF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2205662443.000001DA9CC0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2205662443.000001DA9CBD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2205662443.000001DA9CC10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2205522551.000001DA9CB60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2206503993.000001DA9D413000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2206503993.000001DA9D391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2205662443.000001DA9CC55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:24
                                                                                                                                                                                                                                                                      Start time:05:16:38
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:25
                                                                                                                                                                                                                                                                      Start time:05:16:53
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
                                                                                                                                                                                                                                                                      Imagebase:0x1caef670000
                                                                                                                                                                                                                                                                      File size:177'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2365662258.000001CAEF8E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2365662258.000001CAEF92B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2365662258.000001CAEF8A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2366838259.000001CAF0860000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2366618676.000001CAEFB70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2364172083.000001CA80047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2365662258.000001CAEF8A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2364172083.000001CA80073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2364172083.000001CA80083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2365662258.000001CAEF8DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2364172083.000001CA80001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:26
                                                                                                                                                                                                                                                                      Start time:05:16:53
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:27
                                                                                                                                                                                                                                                                      Start time:05:17:07
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:wmiadap.exe /F /T /R
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6e45b0000
                                                                                                                                                                                                                                                                      File size:182'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:1BFFABBD200C850E6346820E92B915DC
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 04D22764 Relevance: .4, Instructions: 394COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e7b92781cddc09f5ebf4c8a4585b4e593e49158222c299548afb89cce4b70d9d
                                                                                                                                                                                                                                                                        • Instruction ID: 08f735d80058cb0e1277d06168425be09c1e138b8d25b89e64c6d01c55a868d6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7b92781cddc09f5ebf4c8a4585b4e593e49158222c299548afb89cce4b70d9d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BF0A9B18087049FC740EF68900019ABFF0FF14314B2142AED089C36A0EB328162CF51
                                                                                                                                                                                                                                                                        Function 04D21080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e2301b2b63c27b1347207af1ba830fed99ee3541c881def0d41ae6682cfc43a8
                                                                                                                                                                                                                                                                        • Instruction ID: 0834bad9999db322c03c706f74caf07c3d673611e9fa65268d50a4b34f379b69
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e2301b2b63c27b1347207af1ba830fed99ee3541c881def0d41ae6682cfc43a8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F71B035B002249FEB159BB5C954BAEB7A7FFD8204F14C029E906AB3A4DE35EC429750
                                                                                                                                                                                                                                                                        Function 04D223B8 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8cb5d135909da489cb092d1315ec748105a50ad27ce0a285b373eafdb10f6eaa
                                                                                                                                                                                                                                                                        • Instruction ID: b65ea7fbc96a4513ae30ee22e292737282038d7e4beecffcfa5319ed2c908e6b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8cb5d135909da489cb092d1315ec748105a50ad27ce0a285b373eafdb10f6eaa
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF512631B00625CFD710CF68D994A6EBBB1FF55318B1581E9E554CB262DB31EC42C790
                                                                                                                                                                                                                                                                        Function 04D21630 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e51d58adbf0d4e9ffeea7b77d99db8a3744314e44bb734fef7ed881a45816f0c
                                                                                                                                                                                                                                                                        • Instruction ID: c4a198d6bf0c908572623e78bdf7b73470dffff863adda3f93b6727d72d334c6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e51d58adbf0d4e9ffeea7b77d99db8a3744314e44bb734fef7ed881a45816f0c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D751ED35B002198FDB15DFB8D9506AEBBF6FBD9344B14812AD855E7360DA30AD02C7A0
                                                                                                                                                                                                                                                                        Function 04D20C1C Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 929453508151e771970a76286f9e914cd2ac55c7bde0ee038c60ed87a85e06c4
                                                                                                                                                                                                                                                                        • Instruction ID: e720c22e7d9dab6bdfacc6c5ee76a14813b327b5999ec0b2108394f83d219344
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 929453508151e771970a76286f9e914cd2ac55c7bde0ee038c60ed87a85e06c4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C851E634B04324AFEB059B64D4547AE7BB7EFC9314F14806AD506E7385CE39AC46C7A0
                                                                                                                                                                                                                                                                        Function 04D20E8C Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 38ec22216c8f9591e16578b12c25309eb1b903c856310bc836613ab66efa6b0b
                                                                                                                                                                                                                                                                        • Instruction ID: 729a701929824d2a5010eefde12add9a810a3b5328bf2a234fde29f2373cf2d7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38ec22216c8f9591e16578b12c25309eb1b903c856310bc836613ab66efa6b0b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35410B31B402246BFB18AB64956076E77A7EFD8718F14807DE906FB380CE35BC4687A4
                                                                                                                                                                                                                                                                        Function 04D22644 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9afae70941a0f8198a251ca3b228056374d8a2b3b3fffeb3de5233cf0a80ffc4
                                                                                                                                                                                                                                                                        • Instruction ID: 48af4ecf6330e115f103414dd6f1e8a866ab9e9b911988ca378218dd8e886fe7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9afae70941a0f8198a251ca3b228056374d8a2b3b3fffeb3de5233cf0a80ffc4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA319B317083605FFB295B35911437E3BABDFD5308F0480BAE402DB6C5DD68AC828365
                                                                                                                                                                                                                                                                        Function 04D21F08 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: dc7858ac74d4d1b2f095b223c8e443875b1a9a4f929c659d7555a5abbfdb485e
                                                                                                                                                                                                                                                                        • Instruction ID: b092b737acf359d525618289c9079bd847be1caf9a7b3d819546dd7730604a68
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc7858ac74d4d1b2f095b223c8e443875b1a9a4f929c659d7555a5abbfdb485e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A317B3A708325AFD7155A24B91472E7B6AFBD1354B09806BD614EF1A5DE35BC01C3B0
                                                                                                                                                                                                                                                                        Function 04D22268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 33e7674253dcfec7a71322a60f07cea03524738d6597d2e3da71914a47a55396
                                                                                                                                                                                                                                                                        • Instruction ID: c67b64828368c9b6d65ddd18970a40cca37a8449291b1945d8b1c393ce53bf58
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33e7674253dcfec7a71322a60f07cea03524738d6597d2e3da71914a47a55396
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D413839B002189FCB04DF69D98099EBBB2FF98354B14816AE905EB360DB31EC41CB90
                                                                                                                                                                                                                                                                        Function 04D21050 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 862257f6551d1028d73497a91f018169fab959f6f4c0a6b625dd4a27e59880a1
                                                                                                                                                                                                                                                                        • Instruction ID: 7255100e6b2cf6444f3ca29e1b1b67ae2b286d5b791058bbd29d5654952f65d1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 862257f6551d1028d73497a91f018169fab959f6f4c0a6b625dd4a27e59880a1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C821F835B003349BEB159F64CA507EE77EAEF98258F04803AD906DB285DA31ED4AC791
                                                                                                                                                                                                                                                                        Function 04D22C59 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f5d41cbedc49edfe25fabff143669dcf597e68f45305178cc8dc12dfde12d4f6
                                                                                                                                                                                                                                                                        • Instruction ID: 9456168f87c7609d4d43a78a989dc11c225b9c4ce85d5ae0bcb084e3d41dae4a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5d41cbedc49edfe25fabff143669dcf597e68f45305178cc8dc12dfde12d4f6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D21A238A04250AFDB04DF60D854B9D7FB6EFC9318F0580AAD445AB2D5DF746C4ACBA1
                                                                                                                                                                                                                                                                        Function 04D20D4C Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6b5df6df671bc7482a37b52da2996f6bbfd1dfdb1127c42cb62237a2adcf6bf2
                                                                                                                                                                                                                                                                        • Instruction ID: 0d43876504970eb281b6cfad355729166ef70f8289b715037cf485b5755ddbc1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b5df6df671bc7482a37b52da2996f6bbfd1dfdb1127c42cb62237a2adcf6bf2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 741129713083546BF3159778981476E3FAACBC5610F0444AEE949EB291EE65EC8483E5
                                                                                                                                                                                                                                                                        Function 04D22CB9 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: faefd1f80f0e85af08dae561e31e769dcbd632dfdb94f32833dec1c49a32d398
                                                                                                                                                                                                                                                                        • Instruction ID: 98063c040ad035cbe5a4cd0394d37b2e335d36c0bb54ed7e002fc6cd39952292
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: faefd1f80f0e85af08dae561e31e769dcbd632dfdb94f32833dec1c49a32d398
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A211F39B00215AFE704DF64D550B9DBBB6EFD8319F14806AD409A7394CF756C85CB90
                                                                                                                                                                                                                                                                        Function 04D22258 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e043e4ec77e4c74a20e2f388766a2c214782798f3d45f78cf8322bee1ff392f6
                                                                                                                                                                                                                                                                        • Instruction ID: 4ef346c68c897799ab309bd9f53bbc13268995dcdde2f5ddf339c5372004b350
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e043e4ec77e4c74a20e2f388766a2c214782798f3d45f78cf8322bee1ff392f6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2021F975F101189FCB48DF68D5809DEBBB2FF8C754B11816AE915EB360EB319842DB50
                                                                                                                                                                                                                                                                        Function 04D22CC8 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8da6ad28b1331e2053f2a07142571856050bdddc5b37ef97cad04b2b741ceab5
                                                                                                                                                                                                                                                                        • Instruction ID: beff31454c0ff40fb4dd2ea9482cd07b5e97221cf5969c699ffc2f1b691dd78f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8da6ad28b1331e2053f2a07142571856050bdddc5b37ef97cad04b2b741ceab5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF11D039B00215AFD704DB64D551BAD77B6EFDC319F14806AD409A7384CF756C85CBA0
                                                                                                                                                                                                                                                                        Function 04D21378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2d1be1df233c8297047f6eeb43c1a689db013933df9ed551c1798323a3d8a19f
                                                                                                                                                                                                                                                                        • Instruction ID: bf5941ef79aedd62326e05da2ff19aec1aff11cc74cc8339989a6ca3a70a0b0c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d1be1df233c8297047f6eeb43c1a689db013933df9ed551c1798323a3d8a19f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4212775D042098FDB14DFAAC8847EEFBF0FF48214F14802AD559A7240C779AA06CFA1
                                                                                                                                                                                                                                                                        Function 04D21958 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1be61fa7d812cb5d1d202fdeac68534a179e11549ca47f473b4a0a48b9ef448d
                                                                                                                                                                                                                                                                        • Instruction ID: 88f080c662f03338ac79e79bb50ddd99059ac3e22261bb6b232677acc10ca9c1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1be61fa7d812cb5d1d202fdeac68534a179e11549ca47f473b4a0a48b9ef448d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80110D39A40215AFDB08DF64D4556AD7BBAEFCC315F148029D50AE7244CF795C86CB90
                                                                                                                                                                                                                                                                        Function 04D21380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2af6dd792d35bfc51ec8843a6322d5c1e90275c00ad8f2f44e73fcb96b5df1e9
                                                                                                                                                                                                                                                                        • Instruction ID: 610ee2d50647e1fde54342f55b9ba8e6f48fe2bd8971e77773c4aeb8701657a9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2af6dd792d35bfc51ec8843a6322d5c1e90275c00ad8f2f44e73fcb96b5df1e9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC11F2B5D042098FDB14DFAAC881BEEFBF4FF48214F54842AD559A7240C779AA05CFA1
                                                                                                                                                                                                                                                                        Function 04D21968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8c23344239115f74889113e537bfed322079228028713cd57f27e05cd2123dd5
                                                                                                                                                                                                                                                                        • Instruction ID: 42aa4c1db9d304b14e4d4769fd63164ffabaca0596b1ae2c390be96e2541a1f7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c23344239115f74889113e537bfed322079228028713cd57f27e05cd2123dd5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C311FB39600215BFDB04DF64D454BAE7BBAEFCC315F148019E40AA7384CB79AC85CB90
                                                                                                                                                                                                                                                                        Function 04D21440 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c8e3679838d89836e1bb6529c2b3f72c158ab34bbd173869b1af76ec057ee60b
                                                                                                                                                                                                                                                                        • Instruction ID: 40a3db0bcdaecdbf15f20fd7b427e97c5036a23c71c40ec41c5d21efe71d68a1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8e3679838d89836e1bb6529c2b3f72c158ab34bbd173869b1af76ec057ee60b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1101FC387153049FEB095F74A97626E3F9AEBD120430104EBC549DF191ED189C0AC391
                                                                                                                                                                                                                                                                        Function 0499D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.1390828188.000000000499D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0499D000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_499d000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 38abc57b3c42a48d68ac73a6e3d02a3f989a8a18995e39e51895ec3395cada6e
                                                                                                                                                                                                                                                                        • Instruction ID: 54e6e8f0cc6bc5b7ffbe92dba9b129a050ce21ffcbab5af697c0668029e2580c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38abc57b3c42a48d68ac73a6e3d02a3f989a8a18995e39e51895ec3395cada6e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2001F731504300ABFB104E29DDC4B66BBCCDF41220F08C62AEC084B182D279AD01CAB2
                                                                                                                                                                                                                                                                        Function 0499D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.1390828188.000000000499D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0499D000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_499d000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d8260bf0e70706417abe01b7f30df51048713371e4d8f5071e86c5a6f29212f4
                                                                                                                                                                                                                                                                        • Instruction ID: 8e0ba8fc7489fb2aec41dccd882d87a2fcdab668f0b0f9c987e5c32d022a004f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d8260bf0e70706417abe01b7f30df51048713371e4d8f5071e86c5a6f29212f4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E015E7140E3C05FE7168B259D94B52BFB8DF43224F19C1DBD9888F1A3C2699849CBB2
                                                                                                                                                                                                                                                                        Function 04D21829 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cab0aca611b16f4181397399ddb32500dd769d18ae7285348d4c188e12ef53a9
                                                                                                                                                                                                                                                                        • Instruction ID: 9702309e4f5e0d1071c32e2b0592934ad07a1fd306b2b03be0f8ad1defe648d1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cab0aca611b16f4181397399ddb32500dd769d18ae7285348d4c188e12ef53a9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0701D131B0012597EB1CAA6882A13FE77A79BC8308F24812EC102F37D0CE796C0687E0
                                                                                                                                                                                                                                                                        Function 04D22A98 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5b20c6506f173ed02a3d005fbe577717c179aba79afd2c87b479ff23e79cf3b1
                                                                                                                                                                                                                                                                        • Instruction ID: 30db8602dae940bc540084a6dbefe5f3a2e2e35e7b28a7e8f74d6be143d88d8d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b20c6506f173ed02a3d005fbe577717c179aba79afd2c87b479ff23e79cf3b1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84F02B357043205BC7354E16D2C067E7767FFA4358B4940AAE505C7695DF289C05C260
                                                                                                                                                                                                                                                                        Function 04D22664 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a60ffcdfd0e5bc92aadc7b630ef06b2be8a592a34465c2d155fb4a74b44e384a
                                                                                                                                                                                                                                                                        • Instruction ID: a14b32027d50116d9299128bebfce3c6ea3bbbb97f02de491a48c2d8a2c7cc94
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a60ffcdfd0e5bc92aadc7b630ef06b2be8a592a34465c2d155fb4a74b44e384a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6F0C936715360AFE301273471283AEBFA9DB43309F0240EBE541C7053DA348C0583A8
                                                                                                                                                                                                                                                                        Function 04D225D1 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d5168775e50018213a0a6a6da9f85ce46cd3ed59097aa5ba4d20d710ecf0a10a
                                                                                                                                                                                                                                                                        • Instruction ID: e7e004349b8d0e008cd3a50f0ee0d7cee7f8d39dc0449ce54beff009832c3c3f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d5168775e50018213a0a6a6da9f85ce46cd3ed59097aa5ba4d20d710ecf0a10a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3FF0B436A141548BDB189A68E0185FDBBB6EFC8321F15402EE883A32D0DF315D59DB50
                                                                                                                                                                                                                                                                        Function 04D21431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 57f6bf55d7b6191192c68f7aae6bd702ea1c65e7660e2800ca8a14174d27e833
                                                                                                                                                                                                                                                                        • Instruction ID: c6460026870abf1791ef6295946b9b78ab463ba22471f858f9555d28d68e8d78
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 57f6bf55d7b6191192c68f7aae6bd702ea1c65e7660e2800ca8a14174d27e833
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40F0967CB007159FFB095FB491B626E3B9AEED2318315046AC109DF191EA289809C791
                                                                                                                                                                                                                                                                        Function 04D225E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b0a552e25e503c4a869ea1261976c69509eb17af2f46f3292a1b2b721ad6288e
                                                                                                                                                                                                                                                                        • Instruction ID: 51f2faf7df56160b32b9f4d82f1359149e248148351125ade07f538624250430
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0a552e25e503c4a869ea1261976c69509eb17af2f46f3292a1b2b721ad6288e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98E0E537B1015887CB189669E4245FEB77AEBCC261B148036D942B3340EF745E09CB90
                                                                                                                                                                                                                                                                        Function 04D22654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1fb3eb4c67c7125d5d71b3a33de07adab7a83879498c28404805b91372abe5d6
                                                                                                                                                                                                                                                                        • Instruction ID: 96243ced0ac40fe5e656b2c1c7c09de92c9a3546eabf808d67590cb641f1803d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1fb3eb4c67c7125d5d71b3a33de07adab7a83879498c28404805b91372abe5d6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FE0922171833803FB382964971077722CE9B7470CF0008B9F841CBA49E8D4F84003E2
                                                                                                                                                                                                                                                                        Function 04D22C70 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f286d1f1ae2790cbd6070e35da8b0adce8bf07a7bc64411e56b2ac362fef0768
                                                                                                                                                                                                                                                                        • Instruction ID: 5030adbff80ea32c8bbf21624a79071ced477f61680c681c857acc593d5cdb5b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f286d1f1ae2790cbd6070e35da8b0adce8bf07a7bc64411e56b2ac362fef0768
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23E08C36640239ABE7112A95A604BEA7A49EB603AAF108072F90C45250CA355894A7A5
                                                                                                                                                                                                                                                                        Function 04D215C0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e6f10451d947fb2cff58a7aec2cc5e9338d841f3671aa10618d095f4938bce9b
                                                                                                                                                                                                                                                                        • Instruction ID: fd515e360172bb8b00054313e5c8a3a7d85cc1d1ff674d4021759b56c7b5d0eb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6f10451d947fb2cff58a7aec2cc5e9338d841f3671aa10618d095f4938bce9b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6D0C2326003145FA7149AB9940169F7BDECE40260700006EA409D7241EE30A88047A4
                                                                                                                                                                                                                                                                        Function 04D221E8 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: edf6c5005ad264e186244f90fa0f4ca9f81011694f29b0dd55d0dd803162a4bc
                                                                                                                                                                                                                                                                        • Instruction ID: 81f49cb8bab9780fc24f6ea15751f15dc7e3b728d8cdfa80bf333f143f4ce085
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: edf6c5005ad264e186244f90fa0f4ca9f81011694f29b0dd55d0dd803162a4bc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40E0123800E7E49FC7178B3488B5A517F70AE13318B6A00DFC9868F4E3C21B945AC312
                                                                                                                                                                                                                                                                        Function 04D22590 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4f1d3bfec77bf3d60bba5e9475d4a4e163b7ab6b28b99055de97ce0a0866182b
                                                                                                                                                                                                                                                                        • Instruction ID: 6563e99e11f9ceceeb928d56f71414fd1a6ef3465a2ab1ae0ec6ca3b0e46ece6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f1d3bfec77bf3d60bba5e9475d4a4e163b7ab6b28b99055de97ce0a0866182b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77E086701057205FE722AB71E45618E3F62DFC420474749AAC481CB272DE319C8A8782
                                                                                                                                                                                                                                                                        Function 04D20C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 67d9731482b577b9ec2683d88b59374e65d9344ba9012920fe4309241efd6425
                                                                                                                                                                                                                                                                        • Instruction ID: d3b2df24f18514353eac542d266eecca2286409961422b16ca96b6e9f566c990
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67d9731482b577b9ec2683d88b59374e65d9344ba9012920fe4309241efd6425
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51D0A7763141286B52007655D99596EB7A9EBA83A53508423F90283220DD71BC41A39A
                                                                                                                                                                                                                                                                        Function 04D22A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b8dc64076270cfdc0c8cec703f9520f513c4c0efa04f24f2d65d98ab4b4eaba2
                                                                                                                                                                                                                                                                        • Instruction ID: 54469855bbed82e6dccfb5ceb686934470e1c77134fe878d0241c13d3c6b0f8e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8dc64076270cfdc0c8cec703f9520f513c4c0efa04f24f2d65d98ab4b4eaba2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFE01270D042099F8750EFB9850155EBBF4FB58308B1085EDD44CD7600F7329602CB91
                                                                                                                                                                                                                                                                        Function 04D22220 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8abd0e3b6fb11a54d965a040ba2ab2bcbfd0ebe9d26c7a049ba6fdbd5fe8d7e4
                                                                                                                                                                                                                                                                        • Instruction ID: 4166ada8445edd480f1050342abfa2915df2513a3bdc7787d95c5a4aed508a0b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8abd0e3b6fb11a54d965a040ba2ab2bcbfd0ebe9d26c7a049ba6fdbd5fe8d7e4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9D012303C136C6AF71436A1671577A3288EF6171CF5044A9FA4C1D5D1DDA674D0C6B1
                                                                                                                                                                                                                                                                        Function 04D217F0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 137e20095394d57dde720fae8379c9dbf4bbf92f9723147cf8bb22bf8c62b5de
                                                                                                                                                                                                                                                                        • Instruction ID: 21b21fcadfc5955947efe55dc89600c6446f6512d5c3b0294a7e6e6d9747367a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 137e20095394d57dde720fae8379c9dbf4bbf92f9723147cf8bb22bf8c62b5de
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3FD02E3A3082908FC306EBA0E0154AABF33BB96280348406BE802CB1F6CE300891D342
                                                                                                                                                                                                                                                                        Function 04D20440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cd0fb225232d4f11a44e8cf1b5021248d61befc06cf415f7e34e295bf299085b
                                                                                                                                                                                                                                                                        • Instruction ID: f72120b7900ae7a5f1a5c53e418b5e933284228aeb64e93a38350cd115cbaa41
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd0fb225232d4f11a44e8cf1b5021248d61befc06cf415f7e34e295bf299085b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95C080FB755D506BE70D01044C516FD1732F5B120438FC265C04191C17D11E74538135
                                                                                                                                                                                                                                                                        Function 04D22C37 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1388365702.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_4d20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fe69446f8e6e5dea376ae10b3d4333dbc8341919fd986b5c409b0146795a7836
                                                                                                                                                                                                                                                                        • Instruction ID: 829e779db0461ba08b069a66d7b1576a1995bdce0ff773a79cf9ea1b7daae47d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe69446f8e6e5dea376ae10b3d4333dbc8341919fd986b5c409b0146795a7836
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4EC08C1224C3E49DD323A2B028207E97F884B2202EF0E00FBD6888B0E3C40980989372

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 06877678 Relevance: .7, Instructions: 718COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443353061.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6870000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fe05ea9a5507b0149e3f309deab5281ed41c09d3c25051836a4fcbd0c33f4dd5
                                                                                                                                                                                                                                                                        • Instruction ID: cf5325a9003b8be5c8aa01d3d154d136c90d348b245cf0b390a663d7cca89397
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe05ea9a5507b0149e3f309deab5281ed41c09d3c25051836a4fcbd0c33f4dd5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9523A347007048FEB58EB79C494A6EB7E6BF88704B1588A9D586DB3A5DF70EC01CB91
                                                                                                                                                                                                                                                                        Function 06870040 Relevance: .5, Instructions: 471COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443353061.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6870000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2e77af8e829db8fc1c222a2127ccc7a1992ecd3ed640327d998a9d52a68a528e
                                                                                                                                                                                                                                                                        • Instruction ID: 18427c7151ee0db6d4dbdc9736a19d67a92c37761ef60f5bf78b6b1e94eb26a0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e77af8e829db8fc1c222a2127ccc7a1992ecd3ed640327d998a9d52a68a528e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6226B70E1061ACFDB14DF74C844A9DB7B2FF89304F1186AAD946BB251EB70E985CB90
                                                                                                                                                                                                                                                                        Function 044085C0 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: f8e38e428966ebdd633c5d21ba54483ce3c69e6264ec0ac33c288af11310cbe2
                                                                                                                                                                                                                                                                        • Instruction ID: 9c5faa3c07e82fb587e482441ab7a2803df56f590737424e3a710a8975163b0b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8e38e428966ebdd633c5d21ba54483ce3c69e6264ec0ac33c288af11310cbe2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB02AC34A006058FDB24DF19C684A6AF7F2FF88314B15CA6AD45A9B7A5D730FC52CB90
                                                                                                                                                                                                                                                                        Function 06879FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 06879FF8
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443353061.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6870000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                                                                                                                        • Opcode ID: 26950886252d5b465052356aa2ea76449de4e08f0d97d83a62bf170c64944ff7
                                                                                                                                                                                                                                                                        • Instruction ID: eed8e414ce504a5c2938debe4975ef6b65a93300fe079bb09813af3c7fed6a90
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26950886252d5b465052356aa2ea76449de4e08f0d97d83a62bf170c64944ff7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 96115C36E01204CFEB58CA79D4847ECBBA5FB88328F148925D611E3290EB32D908CB50
                                                                                                                                                                                                                                                                        Function 06879FD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 06879FF8
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443353061.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6870000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                                                                                                                        • Opcode ID: e22c530bc0e00f6d0b50d189e1564834b94ba86b9ea617436a0abbf6a9570a5b
                                                                                                                                                                                                                                                                        • Instruction ID: 6e4acd486b396fd73e1b10741172a49385a9a2cd3580cd3b6583dc43028d9519
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e22c530bc0e00f6d0b50d189e1564834b94ba86b9ea617436a0abbf6a9570a5b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48112935D01244DFEB58CF38C8447EDBBA1EF49324F148959D652E3190EB36D948CB90
                                                                                                                                                                                                                                                                        Function 0440AAA7 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: n
                                                                                                                                                                                                                                                                        • API String ID: 0-2013832146
                                                                                                                                                                                                                                                                        • Opcode ID: 0228bbaad884c83e02b978fd59c53e1210884eb922d4019d2266502661a2615d
                                                                                                                                                                                                                                                                        • Instruction ID: ca978743399b4220a9686dbaeda97332cb475ca390a0ab34e39759aa5b3d6233
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0228bbaad884c83e02b978fd59c53e1210884eb922d4019d2266502661a2615d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87216034E053489FDF05DFA4D4906ADBBF2AF8A214F4080EAD545AB391DA346E45CF92
                                                                                                                                                                                                                                                                        Function 0440747C Relevance: .9, Instructions: 911COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e523287d7e3ba90543815c50d0d2336c052d0f57472e071b39640a4e3cccdbfb
                                                                                                                                                                                                                                                                        • Instruction ID: a91b0b4cc4c14dceb33d39ceec227060a48f30573eaae56b6b3e0852ee57f4a9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e523287d7e3ba90543815c50d0d2336c052d0f57472e071b39640a4e3cccdbfb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3A2D734A41218DFEB259FA0C854BEEB7B2FF49300F1045E9D50A6B6A0DB319E95CF91
                                                                                                                                                                                                                                                                        Function 044074C0 Relevance: .9, Instructions: 867COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 66546d2279706f8b94e448565cdd48c30da073d652ac715e329da4525dcd7ef9
                                                                                                                                                                                                                                                                        • Instruction ID: e9a15672ee3e49d0e5232d03d16629fd950dc8e0e628dd3a186ca50f17fae1f4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66546d2279706f8b94e448565cdd48c30da073d652ac715e329da4525dcd7ef9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F92B574A41218DFEB259FA0C854BEEB7B2FF49300F1045E9D50A6B6A0DB319E95CF81
                                                                                                                                                                                                                                                                        Function 04406C20 Relevance: .4, Instructions: 391COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 86614ee41de6f98408f8c2f442b6ce9e4a8deefbcb8cd7c4fa3911aabc4eb0ed
                                                                                                                                                                                                                                                                        • Instruction ID: eea48cdc429e00330a795f54e939727ac160e2489231a4fea38482accec8aed5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86614ee41de6f98408f8c2f442b6ce9e4a8deefbcb8cd7c4fa3911aabc4eb0ed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 29D1D030B00205CFEB14DBA9C49466E77E2FF89210B25C56AE456EB395DF30FC528B91
                                                                                                                                                                                                                                                                        Function 0440E1F0 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f85e88d22249f7ae8e3e65a546f03f4cd01bed99522f07f517c7cd34c7372e67
                                                                                                                                                                                                                                                                        • Instruction ID: 410d757f4fa5530c888f1afb3c1939ac40bd0ea08edddd5b85bcf5843af5a831
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f85e88d22249f7ae8e3e65a546f03f4cd01bed99522f07f517c7cd34c7372e67
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70C14F74B00219DFDF14DFA9D454AAEBBF6AF88300F24842AD416AB390DF74AD16CB51
                                                                                                                                                                                                                                                                        Function 044099B8 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fd42d5bb872a4ed0e81688516a1d458b69d5c7c6e5582f20e023029942d4084e
                                                                                                                                                                                                                                                                        • Instruction ID: 67cbaefb78f5cd41030f9360a32016219d3196a5c9011847c7662e2a1767a312
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd42d5bb872a4ed0e81688516a1d458b69d5c7c6e5582f20e023029942d4084e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ADE13B74A003598FDF05DF68C884A9DBBF2BF89300F1581A6D849AB3A6DB74ED45CB50
                                                                                                                                                                                                                                                                        Function 044099A8 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9b799b367dca76c3866bbeee36fcd367c1ba415a99694f5c0f13bdcfd3333f1a
                                                                                                                                                                                                                                                                        • Instruction ID: b109e4a86ae8894400affd06c13650329fb3d94f23baf84f5e7f9bbcaebda77e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9b799b367dca76c3866bbeee36fcd367c1ba415a99694f5c0f13bdcfd3333f1a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BD13974A003598FCF15CFA8C884A9DBBF2BF89300F1581A6D849AB3A6D774ED55CB50
                                                                                                                                                                                                                                                                        Function 0440B9F8 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: dca98ac23c508a5e0c1781dddd1071d3540fc83ea914ec3e687dd9f417a4aaa7
                                                                                                                                                                                                                                                                        • Instruction ID: 5224ef1ace6258e46a9be23549a6a3accbdfa29b4cbcb9cf21103bf472176cc9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dca98ac23c508a5e0c1781dddd1071d3540fc83ea914ec3e687dd9f417a4aaa7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9691D031B042148FEB14EFB8D4546AE77E6EF8931071480BAD90ADB391EE31ED11CB95
                                                                                                                                                                                                                                                                        Function 0440BE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 683a01f5bca85cb761e1123188180d488ce7451a94ab8905c7ec2e076f2fcb17
                                                                                                                                                                                                                                                                        • Instruction ID: 2eb3e50bfc93a15c38e6858c52a0baea8b79bfecd9deda35c55d2ec415f1a276
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 683a01f5bca85cb761e1123188180d488ce7451a94ab8905c7ec2e076f2fcb17
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DB14874B00601CFDB19DF78D59496ABBF2FF88205B148669EA468B365DB30EC06CB91
                                                                                                                                                                                                                                                                        Function 0440B688 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 005d003300f8c84d54087a9ad985f712ec722fc1636b7fb53ff37689b55758f0
                                                                                                                                                                                                                                                                        • Instruction ID: 97c6c86215dc9a1083af97eeeac8bd7fbf9f7e3454f976f161c74d4abd01adb6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 005d003300f8c84d54087a9ad985f712ec722fc1636b7fb53ff37689b55758f0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F61D576B046568BDB249ABA885067FB7EBEFC4244B10C03BD805D7394EE34FC1297A5
                                                                                                                                                                                                                                                                        Function 04401080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: db928c9f5db7bba0957404e32e78c9fd7965ba4c4e067823126f031d6122eec4
                                                                                                                                                                                                                                                                        • Instruction ID: fadbbe1ad7a14def4da7cd18124ca62931cbddcdcafd9bc9818685f3795a26c6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db928c9f5db7bba0957404e32e78c9fd7965ba4c4e067823126f031d6122eec4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52719135B00214DBEF199BB5D8547AEB7A7AFC8310F14C03AE506AB3A4DE75EC129750
                                                                                                                                                                                                                                                                        Function 04406BF1 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: dce48dc6631851147d1be2404f8115ab4772f1514a55a7d6f7e4f81e7816548b
                                                                                                                                                                                                                                                                        • Instruction ID: 5c46ea989ba50ba1d8dbd9adc79c6d8aac251c8fe60d8e04a10ebcfc03775784
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dce48dc6631851147d1be2404f8115ab4772f1514a55a7d6f7e4f81e7816548b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9271AE70B002058FCF45DF68D9549AEBBF2EF89210B15C5AAE446DB3A2DB30ED15CB91
                                                                                                                                                                                                                                                                        Function 04406048 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 67bc5a87666df0a4e106c51730ace27cd574a4db6e2f30b14edea3cb05d07b5d
                                                                                                                                                                                                                                                                        • Instruction ID: 1c3d99fee68398e38468c0b05d3c0c5dd38b2ce406072199f072746c543d2ceb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67bc5a87666df0a4e106c51730ace27cd574a4db6e2f30b14edea3cb05d07b5d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC714974A003089FEB05DBE0D8907DEBBB6EF89314F108429D556AB3A0DE35AD168B56
                                                                                                                                                                                                                                                                        Function 0440BE33 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7537c51d6e5206cbbfaa8ab6157e3724afba415990813a3958070b246982ae00
                                                                                                                                                                                                                                                                        • Instruction ID: 2b1b0c63e97642c0630bd433fdedaa51d117ebd689b8ae13edf6b8cd81911473
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7537c51d6e5206cbbfaa8ab6157e3724afba415990813a3958070b246982ae00
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45716874B006018FDB15DF74D4949AAFBF2FF88204B04CA6ADA569B355DB34EC06CB91
                                                                                                                                                                                                                                                                        Function 044068E0 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5f47d43dd0c8cfc7ae342035eff377ecd02deb2475305d9d63cdf06696d5bb01
                                                                                                                                                                                                                                                                        • Instruction ID: c5437c74559add8849212d61729f4b19e0395d537365081bf6b23f50c2ee8c39
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f47d43dd0c8cfc7ae342035eff377ecd02deb2475305d9d63cdf06696d5bb01
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77614B3AB002059FCB01DF68C88099ABBF6FF8931071581AAE519DB361D731ED25DF90
                                                                                                                                                                                                                                                                        Function 0440ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3a57f781c8ea8446a8c387219176171c9d5003447033197fc92408fe981fed95
                                                                                                                                                                                                                                                                        • Instruction ID: bc502b3c0716da92cfd3ea818d038def554d973dbf979fb57d86c24f45ffccae
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a57f781c8ea8446a8c387219176171c9d5003447033197fc92408fe981fed95
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F5106343042018FDB589F29D498A2A77E7AFD9611329C0BAE506DF3B1EA70EC11CB40
                                                                                                                                                                                                                                                                        Function 0440E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 05037e8cc8d8793c3208a32b239765f89dedea3d1cdbb5124c11f9ca70baf9d0
                                                                                                                                                                                                                                                                        • Instruction ID: 5fe972cac4fe94078267f77d125c49a2c1d5354a98a23241d64fb843db95db09
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05037e8cc8d8793c3208a32b239765f89dedea3d1cdbb5124c11f9ca70baf9d0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50616E31B002089BDF18DF69D59566EB7F6AF8C710F24882ED416EB390DF74AC158BA1
                                                                                                                                                                                                                                                                        Function 04401630 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c82934c474047773e4195b51b3bec7adb2d26fb3d7790686731666d4e36ffbb5
                                                                                                                                                                                                                                                                        • Instruction ID: 0b51c3a037003bb01fb5bda11600ff0f6108a4dd563707d0c6a4c30931598ea6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c82934c474047773e4195b51b3bec7adb2d26fb3d7790686731666d4e36ffbb5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F51CD31B052098FDB18DFB9D8906AEBBF6BBC9350B14813BE415D73A1DE31AD528790
                                                                                                                                                                                                                                                                        Function 04400C1C Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 09bf2e2a04dee27d854814bf29e6ba8c0004d1e37688e79c57cb88a31aa7c387
                                                                                                                                                                                                                                                                        • Instruction ID: 31aa6bd74a4de3020bfaccf6717ac137ce4bc89c3ce6a0dec789be262780b3ac
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09bf2e2a04dee27d854814bf29e6ba8c0004d1e37688e79c57cb88a31aa7c387
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8351D231B04245AFEB189B64E8547BA7BB6EFCD300F24847AD406E7381CE75AC068B90
                                                                                                                                                                                                                                                                        Function 0440BE30 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e51e5c1933d7d30c958fcb2e7b87cc144f675b397f8f06b90060b2e96eb25204
                                                                                                                                                                                                                                                                        • Instruction ID: 1d520394685582ef58706c3564e572b88b5bb63c130c068fc5b97a7259161e1c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e51e5c1933d7d30c958fcb2e7b87cc144f675b397f8f06b90060b2e96eb25204
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8515674A002058FDB05DF74D4805AABBF2FF88204B04CA6AD9168B355EB74ED06CB91
                                                                                                                                                                                                                                                                        Function 04405483 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: adc1c0a611e9c1b510a7ca190cb481e614daa14cc813ed51ca826f66352f47e0
                                                                                                                                                                                                                                                                        • Instruction ID: 67f8b27bb44c8fed92c9474a5d48f5b597957d14146adf05bb92618bacf364dd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: adc1c0a611e9c1b510a7ca190cb481e614daa14cc813ed51ca826f66352f47e0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B351CFB4E00209AFDB05DBA4E8956AEBBB6FFCC200F104419D6166B394CF356D15CB62
                                                                                                                                                                                                                                                                        Function 0440C4D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 55e4965554bd9e7ed6b084bb97a85e42d5b977ff5438755d59747246af92e055
                                                                                                                                                                                                                                                                        • Instruction ID: 1d56837205184d17ff4b7b43f82bd9a36d4c68ce2433d8cb454d56d77875cfe6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55e4965554bd9e7ed6b084bb97a85e42d5b977ff5438755d59747246af92e055
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F51D4353047418FD729DF34D494A26BBE2AFC9700B18CA7AD4468B3A1DA74FC42C791
                                                                                                                                                                                                                                                                        Function 044060D9 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d1181803d3528ec72d4bfe9d402e0a3ad907eb25a4f9a06b28726a77fa0fe9e2
                                                                                                                                                                                                                                                                        • Instruction ID: 024eccaf500608499676b267154a462866cbfdb48373728ed309b5f2072d60a0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1181803d3528ec72d4bfe9d402e0a3ad907eb25a4f9a06b28726a77fa0fe9e2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1051E674A0020C9BEB45DBE0D8A07DEBBB7EF8C314F108029D6166B3A0DE356D169F56
                                                                                                                                                                                                                                                                        Function 04404EC0 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1e8dadb95c3a4059e482cc6c33a66801b241399e19fd156c1b27a84ba14591a3
                                                                                                                                                                                                                                                                        • Instruction ID: 4a63e2a5377a5abfadff20dcb33f41a502a650332b8e21ac0ca4a93cb492d7c8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e8dadb95c3a4059e482cc6c33a66801b241399e19fd156c1b27a84ba14591a3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4041CF70B042099FEF08DF79C45076E77A6AFC9244724816AD4099F399DF34ED0687A2
                                                                                                                                                                                                                                                                        Function 044030EC Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fbbae3fe3d95f5831e535438f5b621824db9d3255e5ac158a80d57e9794d54a9
                                                                                                                                                                                                                                                                        • Instruction ID: 436cc1f58f27ce99d08b56fdd297900d573f195779cfb2cd84a3ec7b2976122c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fbbae3fe3d95f5831e535438f5b621824db9d3255e5ac158a80d57e9794d54a9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B41E071B08205AFEF199F74A85477E3BE6EB89204F14C47AE802D73D5EE74AC028791
                                                                                                                                                                                                                                                                        Function 044034A8 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c31d722ad0c37e66a57469f9c5e6c2a01a9c77ae2ed973133805c3a6f0069c15
                                                                                                                                                                                                                                                                        • Instruction ID: a51caeb5a7e58e3b75b56ab1e425b383d41543470874facb3c7f6117490fe0d9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c31d722ad0c37e66a57469f9c5e6c2a01a9c77ae2ed973133805c3a6f0069c15
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D51B1347042099BCB05EF78E8A15AEBBE7EBC8600B10C629D4069B354DF70FE1A87D1
                                                                                                                                                                                                                                                                        Function 0440A228 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: add49b58f203a6c38c81c540c554396d2e53d1c4cc641b5f6a291d465f5c4795
                                                                                                                                                                                                                                                                        • Instruction ID: eb8f7051b51b99465eee8f3a50298a979e5ff60924d6956fccba631c74d2d0a8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: add49b58f203a6c38c81c540c554396d2e53d1c4cc641b5f6a291d465f5c4795
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF41C430B043449FDB15CF64C854BAEBBF6AF89310F1481AAD905BB391DA75ED02CB91
                                                                                                                                                                                                                                                                        Function 044034B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 31538acc0c3379e84f268a307bafb0820ef80f54f21d4fe1a8bf3ecd694540f6
                                                                                                                                                                                                                                                                        • Instruction ID: b578be8f6bd78775aebf97320527795df85d103d1ec35e557b3c7dd1eed49f3a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 31538acc0c3379e84f268a307bafb0820ef80f54f21d4fe1a8bf3ecd694540f6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8651923470420A9BDB05EF78E5915AEB7E7EBC8600B108629E4169B354DF70FE1A87D1
                                                                                                                                                                                                                                                                        Function 04405490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d84f395b64100ec84a01be7cce6833ed1776ef4d181dfa03cad9ed3174dfc4d3
                                                                                                                                                                                                                                                                        • Instruction ID: ff72db17aaaa35ff4a37c7fdb161fccc34a62eb7c18eda395bebb36e3f167981
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d84f395b64100ec84a01be7cce6833ed1776ef4d181dfa03cad9ed3174dfc4d3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FE51BDB4E0020DAFDB44DBA4E8956AEBBB6FFCC200F108419D6166B354CF356D55CB62
                                                                                                                                                                                                                                                                        Function 0440F649 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: dc466a611577c9df1dd00ac3517281e8f23cb74010c413bbd2578cd4de54e687
                                                                                                                                                                                                                                                                        • Instruction ID: eff2d169210602cef7fa578e9f343326702c76f10fdd2fcd6d420718ac4fd378
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc466a611577c9df1dd00ac3517281e8f23cb74010c413bbd2578cd4de54e687
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF41E9716043554FCB119F74D854AAEBBF6AF8A200F0445AEE185CB2A2DA74ED0AC751
                                                                                                                                                                                                                                                                        Function 0440E428 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 549828adfece42ef3ec678801ab18fbf07099020c7bdf1ef4a98cc94c08a52b1
                                                                                                                                                                                                                                                                        • Instruction ID: 24d587c848a6d2fcece6e39be6e71973db375f58ec230a09eb339ab7f6ed0cae
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 549828adfece42ef3ec678801ab18fbf07099020c7bdf1ef4a98cc94c08a52b1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA413F70B10214DFDB18DFA5D854AAEB7F6BF88204F14892ED416AB390EF74AC15CB91
                                                                                                                                                                                                                                                                        Function 0440E438 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2b8e670bb5b37105d15d38feec8e83906cdba9c0ce77f0e8404870702047b1c4
                                                                                                                                                                                                                                                                        • Instruction ID: 91dc59c602998257dccc390c3a7901af386f4eac078efa92336b481a6be265bd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b8e670bb5b37105d15d38feec8e83906cdba9c0ce77f0e8404870702047b1c4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86411E70B10214DFDB18DFA5D854AAEB7F6BF88704F14882AD815AB390EF74AC15CB91
                                                                                                                                                                                                                                                                        Function 04401D58 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e0ed75dd31159e7952a1b83089b2e032663ebbdb81a89d707ea7faf2875785b0
                                                                                                                                                                                                                                                                        • Instruction ID: ed33dd7f52e25e14efc940570ca3eb397bc57b634f34e522d8f1a6575441ba5b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0ed75dd31159e7952a1b83089b2e032663ebbdb81a89d707ea7faf2875785b0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A941C631A05209AFDB05DF65E854BBE7BBADF8D310F10807AD80997391CE35AD55CB90
                                                                                                                                                                                                                                                                        Function 044045C8 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4370740fca7fe3a8ace1773099e3a73e921f2f7b4688ca56dd2da5a9b04c7d13
                                                                                                                                                                                                                                                                        • Instruction ID: 45a6f7f2978ca8434faad2baf923089c87c69186630f272bf42dd89cba402027
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4370740fca7fe3a8ace1773099e3a73e921f2f7b4688ca56dd2da5a9b04c7d13
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A413634B053455FDB01CB68D8449AE7BEBAFCA31031845EEE149DB391EA35AC06CB91
                                                                                                                                                                                                                                                                        Function 044085B0 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ad8948bf79aff34d2d336ff329e8d02653870406d53f57dbc6017555fe332ef5
                                                                                                                                                                                                                                                                        • Instruction ID: 34146a13e1ed830ad6feb7f56693d1cdaeac38574b4f80f32f26212b3c4f636f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad8948bf79aff34d2d336ff329e8d02653870406d53f57dbc6017555fe332ef5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71419834A006058FDB24EF59C684A6ABBF2FF89314B15CA6AD45AAB391C730FC51CF54
                                                                                                                                                                                                                                                                        Function 0440EA88 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b1af7aed8924e79dcaff851d3f494537b9241817e2db4e358dccc1e5cceb43d9
                                                                                                                                                                                                                                                                        • Instruction ID: 630e227dd93dd5139ed454e5b64f5e6f1bc6b1be234acbb2e43b19c639d71cc7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1af7aed8924e79dcaff851d3f494537b9241817e2db4e358dccc1e5cceb43d9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2531F271B002058FDB08DA6DD4559AFBBF7EFC8210724883AE546DB390EE70EC128795
                                                                                                                                                                                                                                                                        Function 0440E7C7 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7abe2719412671fc40e09f74bc961a008ca9e483219e8b767e4b710b6ef59c34
                                                                                                                                                                                                                                                                        • Instruction ID: 48402795a80ca5d06de5d479ed2643041b8f51ed09219d6974142eadd8f25540
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7abe2719412671fc40e09f74bc961a008ca9e483219e8b767e4b710b6ef59c34
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A415F31B002049BDB189F79D5946AEBBFAAF8C710B24842ED416E7390DF74AD158BA1
                                                                                                                                                                                                                                                                        Function 0440F681 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6a6ad4116b1ac65c8741ff9299abcb338938fef45b0b2ed6717f94b76d7255b0
                                                                                                                                                                                                                                                                        • Instruction ID: dfb7fc11d8e1a1e038360b6a5e9499b0297acf26d7747760398051872bbda91d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a6ad4116b1ac65c8741ff9299abcb338938fef45b0b2ed6717f94b76d7255b0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B341E8717043558FCB15DF78D89496EBBFAAF89200B04446EE146CB3A2DB74ED0ACB51
                                                                                                                                                                                                                                                                        Function 04402268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2e4cc4a0e9022ca487451c4824ebe2bca0490d6e7a19737e1132058ceedf4b8f
                                                                                                                                                                                                                                                                        • Instruction ID: d9ebe54c30428454ed92787243a115cf7b7585061dbeb9eeababc28c9e6831f1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e4cc4a0e9022ca487451c4824ebe2bca0490d6e7a19737e1132058ceedf4b8f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30412735B001089FCB14DF79D88499EBBB6FF89310B14816AE905EB3A0DB71EC51CB90
                                                                                                                                                                                                                                                                        Function 0440E1E0 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 58c3eab006697c131a65c6f391b1868451c30a1d0583897c04b286eea1649feb
                                                                                                                                                                                                                                                                        • Instruction ID: 4b9e3070b086381acd5c97ca80480dc1b9401a26ea866c767619aae6c0d4aed6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 58c3eab006697c131a65c6f391b1868451c30a1d0583897c04b286eea1649feb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A415675E002499FCB14CFA8C58499EBBF2BF89310F24856AE805AB365DB30ED46CB50
                                                                                                                                                                                                                                                                        Function 0440F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 960f83dc8d6ab8b66bb6d5241f63379746c79eb861a5a01cb213490d96c44e81
                                                                                                                                                                                                                                                                        • Instruction ID: a81274c65f17b612d33c9d5996e8e1cc66c12d3e1ac13528337f5aed02742b56
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 960f83dc8d6ab8b66bb6d5241f63379746c79eb861a5a01cb213490d96c44e81
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F241A3707042558FCB25DF68D488A6FBBFBAF89200B044469E546CB361DB74ED0ACB51
                                                                                                                                                                                                                                                                        Function 0440B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7f984a13cf3cd39d3e45244beebaf3d50175f75475826a1d8aa6bfc9c131d7bf
                                                                                                                                                                                                                                                                        • Instruction ID: 0232d431ba7a8170dcd958cfc4a8d51e6576def42e081648eef2d44792c12af2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f984a13cf3cd39d3e45244beebaf3d50175f75475826a1d8aa6bfc9c131d7bf
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0319E36B001058FDB10CFA9D880AABF7EAEF88255B14C17AD919CB355DB30F8218B95
                                                                                                                                                                                                                                                                        Function 0440310C Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 07e3db94d6be8794bda032180c2de2ed88908fdbc9da0b000a7b8d8c5c775ec2
                                                                                                                                                                                                                                                                        • Instruction ID: b8db991383d8e0af33fc78a9b78e532b2ee4dd661567a4713c1c12f50d879cdb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 07e3db94d6be8794bda032180c2de2ed88908fdbc9da0b000a7b8d8c5c775ec2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D62125326463196FEF052EA938103F77F589F86320F00C077EE48966E2D939AD669390
                                                                                                                                                                                                                                                                        Function 04403719 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9bd8806c6ed012715c0da7926084eb636a81f9828f531361393ad5a20dbc8998
                                                                                                                                                                                                                                                                        • Instruction ID: c6a62cf0a2ee803f69fd7a8f4ef49070338894e7ddc225c66ed100cd210dd3b3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9bd8806c6ed012715c0da7926084eb636a81f9828f531361393ad5a20dbc8998
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA21BFB1B002059FDF58CE68A854B7F7BEAAB85208F14C47FE806C72D1EB34AD119750
                                                                                                                                                                                                                                                                        Function 04404EB0 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1a278e9285a2f44ab551eea23654948d74256b824109e25761858e4eed1592f3
                                                                                                                                                                                                                                                                        • Instruction ID: 37be2068326d35349a5a949eb44528c8d18ac19befb7bf5c87536dbdfb580677
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a278e9285a2f44ab551eea23654948d74256b824109e25761858e4eed1592f3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26316F70600309DFDF15DF68D880A9BB7A2FF88208B14856AE9159F395DB30ED16CB91
                                                                                                                                                                                                                                                                        Function 04401064 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b21ba1f831744abed6044e64c2e73999fc09e10a5940321898c6e4f737ea41ae
                                                                                                                                                                                                                                                                        • Instruction ID: e20efdb216e024c2e1904c219947d09fce4bf9ea780e75ba6494e89b559945d7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b21ba1f831744abed6044e64c2e73999fc09e10a5940321898c6e4f737ea41ae
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90214B72B002609BEF118A6498506FE7BA9DB89341F04C07BD946D73C2EA35ED0383A1
                                                                                                                                                                                                                                                                        Function 0440576F Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a4e972d404512084751e396d49bde024b5d949fb149f457a8ef3165f4b8a0370
                                                                                                                                                                                                                                                                        • Instruction ID: 1a3d1b8d9419d100e33923154cfdc370a38419cf2ebb87e3027350632d1e57a9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4e972d404512084751e396d49bde024b5d949fb149f457a8ef3165f4b8a0370
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC216B3560E380AFEB23DB38985065A3BB6DFC711031849EBC085DB193D6349C16DB65
                                                                                                                                                                                                                                                                        Function 0440C558 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f757f7dfcd6e2968d4c2e0f7d60394c8e3eb19aac1189e53a4e5a66593875773
                                                                                                                                                                                                                                                                        • Instruction ID: 99b3435b638a86a3c839c78835ad3a48504fbcfb9ec41c0a7dcd8e859f551976
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f757f7dfcd6e2968d4c2e0f7d60394c8e3eb19aac1189e53a4e5a66593875773
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51318D75200601CFC729DF24D598926BBF2EF89700708CA69D5468B7A2CA34F856DB50
                                                                                                                                                                                                                                                                        Function 04403A29 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 223dc06796b95d94dd6bb7ee5f3d9e754f33ae9e54008fad406d6abe5cdfed1b
                                                                                                                                                                                                                                                                        • Instruction ID: 27d8f3dd27dfece68b730723ab95c999b1a9af260e29230f2e1d5a0cadc502ed
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 223dc06796b95d94dd6bb7ee5f3d9e754f33ae9e54008fad406d6abe5cdfed1b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D216030A00145AFDF04DF65D851AAA7BB6EF8C314F14C03AE805A73D2DA75AC5ACB90
                                                                                                                                                                                                                                                                        Function 0419D6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1445048001.000000000419D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0419D000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_419d000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ced8280365a2d546644a2fa438cb162cd470638e96cc0f50a9cd3a83e9dbfe04
                                                                                                                                                                                                                                                                        • Instruction ID: 939558f348540b41d8868196a678860e9eb8a7cfdbb1c615b34ca35860ce3457
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ced8280365a2d546644a2fa438cb162cd470638e96cc0f50a9cd3a83e9dbfe04
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F210775604344DFDF19DF10E9C0F2ABBA6FB84318F24C5A9D9094B256C336E856CBA2
                                                                                                                                                                                                                                                                        Function 0440B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3e17cf495ec67153aee81e4bb5ecfa76e28f61984978a9a6910f9dc7c862e3c5
                                                                                                                                                                                                                                                                        • Instruction ID: 542f6fd86c4712b0334a7ca0263237093f9a9beb34de16163d2598222d676bd8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e17cf495ec67153aee81e4bb5ecfa76e28f61984978a9a6910f9dc7c862e3c5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 831160767042404F9B54DAADD490A6BB3DAEFC9260714C03BA94ACB396EE71FC018799
                                                                                                                                                                                                                                                                        Function 04405F38 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d056d91dd7f4e448c10e1ecb39cae005a8eac29cb10f4dd15f053e803dc49bf4
                                                                                                                                                                                                                                                                        • Instruction ID: 8c435a8829932b50cac1a791565a8456a8cc02c37dc82f20e3c96ea08f831519
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d056d91dd7f4e448c10e1ecb39cae005a8eac29cb10f4dd15f053e803dc49bf4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26214F30B041059FDB18DB68D455AAEBBF6EF8C614F15806AE902AB390DF716C058F90
                                                                                                                                                                                                                                                                        Function 0440AF10 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ca7e6e8bc8d03b98a57d1bdbaa45fcf047a0b94e1c8c899737a903481eb51347
                                                                                                                                                                                                                                                                        • Instruction ID: 35b10aac8e055feb87a98112c3b37dfafd9cd9b38f0bd3e615303cc8d8f2b8e2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca7e6e8bc8d03b98a57d1bdbaa45fcf047a0b94e1c8c899737a903481eb51347
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 641170323043014F9B249AAEA484A9BB3DEEFC9265324C43BE90EC7755DE71EC014350
                                                                                                                                                                                                                                                                        Function 04404553 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7fe26eb322a01f427a3f5dc54fdef166b0e40748163c5821ab2ddcdb6f8c2b3f
                                                                                                                                                                                                                                                                        • Instruction ID: 46f2024e53235d60b06ba964863d84edca94b0071dffac1828b38911e7513cc9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7fe26eb322a01f427a3f5dc54fdef166b0e40748163c5821ab2ddcdb6f8c2b3f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B1101313003065FDB21AB3CE95096E7BEAEFC9250308857AE34ACB391DB30ED568795
                                                                                                                                                                                                                                                                        Function 044030FC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0fe0e6ed8280c36c6df1b8aba55da218880dd11daa960db7995a4eb7781a1b43
                                                                                                                                                                                                                                                                        • Instruction ID: e1dbf4587bffcce252a1a43af22c4788a662e07768065e04f9a7c26d271cbcb6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fe0e6ed8280c36c6df1b8aba55da218880dd11daa960db7995a4eb7781a1b43
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6011C125B093541BEF252A34241037A2F998B86614F05C4BBDC42DBAC2D9B4EC124391
                                                                                                                                                                                                                                                                        Function 04405F48 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5febe37024378a28501d87a243e5a5cfbc12f1e83a857e72e310e7103963b5c3
                                                                                                                                                                                                                                                                        • Instruction ID: fa58dd644d67cf29502192b1c3150525fd1a8631207f609244172fe782b75232
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5febe37024378a28501d87a243e5a5cfbc12f1e83a857e72e310e7103963b5c3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C214234B10114DFDB18DB69C455AAEBBF6EF8C614F15801AE902AB390DFB16C01CF94
                                                                                                                                                                                                                                                                        Function 04405F46 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a46dce5f80fce2b39ae3a463d48e57200cb1bbf749b47cc329955aad483dbe67
                                                                                                                                                                                                                                                                        • Instruction ID: 369dda67bce4bbab38d58f49ef4e150b3a26f6de75506c93229aefd48ed1be63
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a46dce5f80fce2b39ae3a463d48e57200cb1bbf749b47cc329955aad483dbe67
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8215130B10114DFDB18DB69D455AAE7BF6EF8C614F15802AE902AB3A0DFB16D018F94
                                                                                                                                                                                                                                                                        Function 04402258 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5de286a5f5091589815d32b097ad7d799c350faf4281eac3fa8e6db5b6cc7512
                                                                                                                                                                                                                                                                        • Instruction ID: ba9c00d7e9f213aeff7bb7efc59b0d588fbb3de5350053674fef59bf48d59eb0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5de286a5f5091589815d32b097ad7d799c350faf4281eac3fa8e6db5b6cc7512
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1211775A102189FCB54DF69D8849DEBBF2FF8C710B10816AE905AB360EB719942CB90
                                                                                                                                                                                                                                                                        Function 04400F20 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 91bfd16eb23d1e213d8c39e18b9fd141a4556da6ce2a6bcd61c58ad100a52038
                                                                                                                                                                                                                                                                        • Instruction ID: b411a1063b9e516e5c6624679dfbff44778eb728c602cecdfccc64fa1307996f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91bfd16eb23d1e213d8c39e18b9fd141a4556da6ce2a6bcd61c58ad100a52038
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5401493670D3501BEF252676289436F6B599FC5350F05C47BE909CB382DE75DC1182A1
                                                                                                                                                                                                                                                                        Function 04403370 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fc8b51fdc38b9c1e04c90787f49a1c7a9b314e67761b359c243789e93d9cf97d
                                                                                                                                                                                                                                                                        • Instruction ID: 373b90d0816ba49dd5810bc7378b3838355a53c0766e6dc9b5b19173ee18a0fa
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc8b51fdc38b9c1e04c90787f49a1c7a9b314e67761b359c243789e93d9cf97d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA11BF75B04115AFCB18AFB498949BF7FAAFB88710B10802AF905D7340DE759D068B90
                                                                                                                                                                                                                                                                        Function 04406038 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6646bbe61e3b4a2fc468f3a16a996321348c2f563e214e115683c769a493819d
                                                                                                                                                                                                                                                                        • Instruction ID: 3346dc598d505364dbd45b2d1d495a4777d3e08bb70337290b2a3dfc7034fc2c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6646bbe61e3b4a2fc468f3a16a996321348c2f563e214e115683c769a493819d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B511E471644354CFCB24CF68D4086AABBF5EF49308F01C46ED1468B2A2DBB5A855CB51
                                                                                                                                                                                                                                                                        Function 0440A219 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8b240ae1d85c1dc3721567fc8300c41b35d257c3249468352d96f456d36c3764
                                                                                                                                                                                                                                                                        • Instruction ID: 570fa60875f5cfff066111b0848226a3f4f56f6b200b66e82f45cabbddedc5b2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b240ae1d85c1dc3721567fc8300c41b35d257c3249468352d96f456d36c3764
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34115E74B002059BDF14CF95C580BEEBBF5AB9C710F20842AE405BB381DA71AD56CB90
                                                                                                                                                                                                                                                                        Function 04401958 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 553157f2d6b40280c0eea291c0c6df81d8242b275aed555b48af0b56d3970895
                                                                                                                                                                                                                                                                        • Instruction ID: fe4ccf4c01e038e7f19efac8276e5c2e171fbf4ffd0e507a5e25b8083cbb3020
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 553157f2d6b40280c0eea291c0c6df81d8242b275aed555b48af0b56d3970895
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9217231600156EFDB04DF64E894AB9BBBAEFCC310F219429D849A7341CB75AD4ACB90
                                                                                                                                                                                                                                                                        Function 04403A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bd6fe38325442d6f5849e0247bfed618f8ee67e032a361f88a8cc56ee1cad2f8
                                                                                                                                                                                                                                                                        • Instruction ID: 739b64009dc6bc4265c6f7f84e06f254e5f04e125ee085b1668d1e3d2ce33e31
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd6fe38325442d6f5849e0247bfed618f8ee67e032a361f88a8cc56ee1cad2f8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61110034A00245AFDB08DF65D850AAABBB6EFCC314F14C43AD805A7391DF79AC59CB90
                                                                                                                                                                                                                                                                        Function 04401378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a69541a9cb15defd1de291e319548310babe3adb8c37e74b3f4610290b04b85e
                                                                                                                                                                                                                                                                        • Instruction ID: d3c9e4cf947add492f1896fbb224de62a055c8c6e1605050a655cb53d267bccd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a69541a9cb15defd1de291e319548310babe3adb8c37e74b3f4610290b04b85e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A21E2B5D042098FEB10DFAAC4856EEFBF0FF49314F14842AD559A7240C779AA46CFA1
                                                                                                                                                                                                                                                                        Function 0440AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a1c9bdc062b3c9b2a3544431c887c2577fd07195ee08d68fd1559e465f5705c4
                                                                                                                                                                                                                                                                        • Instruction ID: db106b30c9b306dc376484bfdaa755ba8fdc908a26ea41599b691bfee4122f33
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a1c9bdc062b3c9b2a3544431c887c2577fd07195ee08d68fd1559e465f5705c4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A221C474E003099FDF44EFA8D480AAEBBF2AF89214F5084A9D505A7350DB30AE45CF91
                                                                                                                                                                                                                                                                        Function 04403380 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 55de5cfb04c819b4264b6037fa7e1c46a2e6455a415511df2e7857d803a5190b
                                                                                                                                                                                                                                                                        • Instruction ID: 2bad66726f1954a72d122ca0f641d6a8fbfaf21099c40e21ae0c686815c9d59f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55de5cfb04c819b4264b6037fa7e1c46a2e6455a415511df2e7857d803a5190b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F118E35B04119AFCB08AFB598559BFBEEAFB88710F148029FA05DB340DE755D068B90
                                                                                                                                                                                                                                                                        Function 0419D69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1445048001.000000000419D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0419D000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_419d000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f91abb9352a182756c6c26f8b4f22650d74ed887e572d8e03f4584c0790d32d0
                                                                                                                                                                                                                                                                        • Instruction ID: f1c3fafef65316df07f710c1bf39eacbd140ece5c46d039f82612de08b15733d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f91abb9352a182756c6c26f8b4f22650d74ed887e572d8e03f4584c0790d32d0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9811AF76504280DFCF16CF10D9C4B56BFA2FB84318F2486A9D8094B656C336E856CBA2
                                                                                                                                                                                                                                                                        Function 0440290C Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 41281e07ff4116f0063780aeeff5a3fb65cbf5fe5023cdb66ab003be9b6ec020
                                                                                                                                                                                                                                                                        • Instruction ID: a0e7f42523bb5f0ad7bc9de3045054cf8d1dc43e39aa9f237313c22d913978be
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 41281e07ff4116f0063780aeeff5a3fb65cbf5fe5023cdb66ab003be9b6ec020
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D21109B280E3D05FE703DB78A8606D97FB1AF53214B1A41C7D4C4CB1A3E5248A4AC7A6
                                                                                                                                                                                                                                                                        Function 04401380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4d4c63cb84580f7cf7b65ed105e2216eeaa10e7487e18c4211f4f3f329581bbd
                                                                                                                                                                                                                                                                        • Instruction ID: 4439c87016ce82106de8d6838393d7ada12cc6b8e7f5afc00dd5a4f10fd97d88
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d4c63cb84580f7cf7b65ed105e2216eeaa10e7487e18c4211f4f3f329581bbd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C11EFB59042098BEB10DFAAC481AAEFBF4FB48214F14842AD559A7240C779A905CBA1
                                                                                                                                                                                                                                                                        Function 04401968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6a99f11d602c801e1ec5b337cb15c20c9d3698a8bbbd45894f107636b8810211
                                                                                                                                                                                                                                                                        • Instruction ID: a56f83326e70cf083084431c48a44163cd8195eba86240b417ec2991d139c367
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a99f11d602c801e1ec5b337cb15c20c9d3698a8bbbd45894f107636b8810211
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A113031600256EFDB08DF54E454AB97BBAEF8C310F259069E809A7391CF799C49CB90
                                                                                                                                                                                                                                                                        Function 04401440 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9255d4f63d39361b5e1e6f55733366766ad7d6ef5ce6b1ff90e39cde95090e64
                                                                                                                                                                                                                                                                        • Instruction ID: 153e6ff7b202ef56fcdfc08117cc1ae2f327f2ace0802ba088bc5b7b98853cc6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9255d4f63d39361b5e1e6f55733366766ad7d6ef5ce6b1ff90e39cde95090e64
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1012830709345DFEB195F7878A61763FA9EEC630070548BFC585CF1A2F928D8098391
                                                                                                                                                                                                                                                                        Function 0440B070 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2b32f9f2a68e90f56bdd2a2551cdba2dd1b3b5fc3a3b30cbe9b3a46168261489
                                                                                                                                                                                                                                                                        • Instruction ID: 50bd8890063a163b0729fa9865e1fc00103d0043f1cc06577cbafa3017c44909
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b32f9f2a68e90f56bdd2a2551cdba2dd1b3b5fc3a3b30cbe9b3a46168261489
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB01DB357042454FCF25CEA99C406ABFBAAEF86250704C176D928C7396DA31F816C795
                                                                                                                                                                                                                                                                        Function 044057B8 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3764949b28ac79eed7dc5eb6dccc24c828424350bb73431f18c6a8e53d867a88
                                                                                                                                                                                                                                                                        • Instruction ID: 9c66263f0e9c90488852df4d2bf710cc72fbd9e1df5cc4f6d85a848e74b85708
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3764949b28ac79eed7dc5eb6dccc24c828424350bb73431f18c6a8e53d867a88
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C901BC303083005FEB05AB39D850A2E37EB9FCA21431845AAD04ADB781EE36EC06C762
                                                                                                                                                                                                                                                                        Function 0440B920 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: befec8714e2a5a3dd58a64d8dcf02920e8c6234758d3f9d61cd1d21fcc829cfe
                                                                                                                                                                                                                                                                        • Instruction ID: 9f3dc9ad82aff09dc238c7bc4b697a2a16af3171909642ea8033db580167a459
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: befec8714e2a5a3dd58a64d8dcf02920e8c6234758d3f9d61cd1d21fcc829cfe
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC01A7317043804FEB54DA5D8490B777BD9DF89260704C47AD889C7792DA31FC01C754
                                                                                                                                                                                                                                                                        Function 0440182A Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b4d89f76c88573cd32a411311d9c37010f0991eddabfaad76a8dd508a039c337
                                                                                                                                                                                                                                                                        • Instruction ID: bfcc02d55356cc2fe301b06cb3732309d3cf6750034b3a4516f9820d0da78074
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4d89f76c88573cd32a411311d9c37010f0991eddabfaad76a8dd508a039c337
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D01A232B0020587FB28AA6994A57EF7BF69BC8704F20803EC146B73C1CE761D068BD1
                                                                                                                                                                                                                                                                        Function 0440CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 35b473a7967e0f4e7b8e9ff738fc9d7864d50ec78ad3db7f4207c02a3cb0fbb6
                                                                                                                                                                                                                                                                        • Instruction ID: 8e049039fc07ad0c2fb72a3cc564a85a0d0352181261610c8fdbdc3b53404cba
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35b473a7967e0f4e7b8e9ff738fc9d7864d50ec78ad3db7f4207c02a3cb0fbb6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41F062763042148F9B085A5DBC8453FB7FEEBC8665725423BE509C7390DA75DC018690
                                                                                                                                                                                                                                                                        Function 044056C3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6efe05751b4867d479181ee3f5748cf12a1dae3563df2bb26290e63bf0a21854
                                                                                                                                                                                                                                                                        • Instruction ID: 4497177e9d19a75dd8237585510a68074efc2d35e22786ea4f5620dce9f8ab55
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6efe05751b4867d479181ee3f5748cf12a1dae3563df2bb26290e63bf0a21854
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F01DF30204384AFD7119775E85466EBBDAEFCA204708455DE65ACF241DBB5AC0983A2
                                                                                                                                                                                                                                                                        Function 0419D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1445048001.000000000419D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0419D000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_419d000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 48902656cfc064fe55c155cb7cd7c8b2d6d52862503642d0a23d85d37e7ff132
                                                                                                                                                                                                                                                                        • Instruction ID: 74e14d3d8e95677a09e23bc02fa7c33ac6c7aabb1ef4b5fc23fd7f5b5628bb99
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48902656cfc064fe55c155cb7cd7c8b2d6d52862503642d0a23d85d37e7ff132
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7601F231504300ABEB148E25FDC0B67FBC8DF41264F1CC15AEC084B282D779AC01CAB2
                                                                                                                                                                                                                                                                        Function 0419D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1445048001.000000000419D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0419D000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_419d000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: aa83b966651216cbc35187ba4c6801c5a6649d75bfbf16a25d8f348695b24afd
                                                                                                                                                                                                                                                                        • Instruction ID: 3247981e8a217aa3e9e63fdf3769e23e5116b6b6f936762cae1380fb65208bda
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa83b966651216cbc35187ba4c6801c5a6649d75bfbf16a25d8f348695b24afd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D011E7140E3C05FEB128B259D94B52BFB4DF43224F1D81DBD9888F1A7C2699849C772
                                                                                                                                                                                                                                                                        Function 0440858F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c1dafd400ac743401b3df1a952a24871cef5d28e941434c386d367e8d1708794
                                                                                                                                                                                                                                                                        • Instruction ID: e81ea4066606bc49a3e310613c0cfe008d5490d7ac84d87ff4c3492b460baf2b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c1dafd400ac743401b3df1a952a24871cef5d28e941434c386d367e8d1708794
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C30149B16043008FEB14AF64E55097A73A2DFD5224305C177D5118F3A1D631EC90CB14
                                                                                                                                                                                                                                                                        Function 04406769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c9937524f2e186782c55e27efd6fd4376ccb4bab5984f926705b8f6ef6d9a264
                                                                                                                                                                                                                                                                        • Instruction ID: 5b089fee48ab66c807115c27c502a2fb97e0c39401a9515f5d22331a7a5fa927
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9937524f2e186782c55e27efd6fd4376ccb4bab5984f926705b8f6ef6d9a264
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52018B39B01901DBDF10CF68D69066EF3EAFB89321B61C63AC4169B384D731E965CB91
                                                                                                                                                                                                                                                                        Function 044067E3 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b8f3ce6897088a4148d59b2b45ab0b9bfbb0116e384b5d5b849c85d2d5271d57
                                                                                                                                                                                                                                                                        • Instruction ID: 54691096d71097f900a418871a30890b1a9d24bc4e5607145d55a90de0827cae
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8f3ce6897088a4148d59b2b45ab0b9bfbb0116e384b5d5b849c85d2d5271d57
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2601B170D00309AFDF04EFA4D49149DBBB6EF49204B108599D525AF291CA346F0ACB51
                                                                                                                                                                                                                                                                        Function 0440E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b8994a16a149fd4b2aa310f3da0c8edff5a2b0c998626539f5a5442f619a4d14
                                                                                                                                                                                                                                                                        • Instruction ID: d0803b6d3840457b1b29e3ab261b46b619101d734d676ff67d69148b6355d447
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8994a16a149fd4b2aa310f3da0c8edff5a2b0c998626539f5a5442f619a4d14
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E801D672B103118BDB059A54D8413AE7BA3EBC8210F24C92BD6465B380DF70BD1687C1
                                                                                                                                                                                                                                                                        Function 0440AEFA Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 62e52a3dd08e2c553f171b1dad794e5ec8e20d128ff2b08f8d8ff1595f7a4982
                                                                                                                                                                                                                                                                        • Instruction ID: 5ff960f2ecb42dbd66e42dda87d51015ba00f86297761cc7d6557fa8c4db9c5d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62e52a3dd08e2c553f171b1dad794e5ec8e20d128ff2b08f8d8ff1595f7a4982
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1F024723043010FCB588A6E98409A76BEBEFCA160318C47BF50DD7352EA30DC068360
                                                                                                                                                                                                                                                                        Function 0440CB7F Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a1ca5499ac88f8ed3bf43fd28dadead82927f62d84396e0d3a8cf976d635c726
                                                                                                                                                                                                                                                                        • Instruction ID: db8a2e6d8396547642b3384067b746a6b0201a52ef775ef67539e4793070e554
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a1ca5499ac88f8ed3bf43fd28dadead82927f62d84396e0d3a8cf976d635c726
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2F0C2757082018FCB188E2CA89057BBBBAEF85654315467FE444CB3A2DA309C06C750
                                                                                                                                                                                                                                                                        Function 0440E36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c19acdda31fc298c24f521baa1f697839165e3e32f331a1a3907e07684622cfb
                                                                                                                                                                                                                                                                        • Instruction ID: 4617cc2c90f8987a2101eb4c8d5e0ebf8217310763f9ffd968252ff3a1763b79
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c19acdda31fc298c24f521baa1f697839165e3e32f331a1a3907e07684622cfb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8DF02832B003104BDB05965898413AE37B3EBC8620F14C83BD6465B380DF70BD1687D1
                                                                                                                                                                                                                                                                        Function 0440C4C9 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a15bd2c4c66bdb80228e4831d370338ad342edd0b7695375ac2f5e8486e2d15a
                                                                                                                                                                                                                                                                        • Instruction ID: 98db2dac26d309e818bd1d164b956c7b29e6d92f310bf34e84f341de48061937
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a15bd2c4c66bdb80228e4831d370338ad342edd0b7695375ac2f5e8486e2d15a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FFF09E35204350AFDF3A6D2488815BB37A65BC3750B44C377C4418B5D6E971FC25A3A1
                                                                                                                                                                                                                                                                        Function 044056D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 876e8c8ddf13061873e53c0c53225250ca47c20ca6f5403c6fb972a3aa0e86b5
                                                                                                                                                                                                                                                                        • Instruction ID: 8a9fd3275459831cda32967c101fc69be2c8e0cc09941f8ee318e62bf683a310
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 876e8c8ddf13061873e53c0c53225250ca47c20ca6f5403c6fb972a3aa0e86b5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9F0C2703003046BE754A7A5D45066EB7DEEBC9214744452CD21ACF340DFB5AC0A87A2
                                                                                                                                                                                                                                                                        Function 044068D1 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5626eb383c331f5d21f8aa75c4c4706974ed85785155abe2206dffb04f0807a6
                                                                                                                                                                                                                                                                        • Instruction ID: c71a5b6d62f161a0f1485af0328d3b885e5c543beeed4919ceb23ac66e3d5af6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5626eb383c331f5d21f8aa75c4c4706974ed85785155abe2206dffb04f0807a6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20F096366042555FCB16CF58D440C9ABFB6EF99310316C0E7E448CF252E731D926CB50
                                                                                                                                                                                                                                                                        Function 04406880 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 17eacdf8b19845eb30d38d2f13b7ea71f67a39ec4a8e55aa76c383b5739179c1
                                                                                                                                                                                                                                                                        • Instruction ID: 26ab63a280d2fdef827bc9b68fd51915f6fa0f3d10afd52e6d371af97e3c8af0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17eacdf8b19845eb30d38d2f13b7ea71f67a39ec4a8e55aa76c383b5739179c1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6F06D3210E3815FCB364A389C20582BFB59F5726131AC5E7D085DB1A3D3689C5BD7A1
                                                                                                                                                                                                                                                                        Function 04401BB0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 247cde20bcdce84041c678e060104ad2b121dbe35193262eab6759a0174021d3
                                                                                                                                                                                                                                                                        • Instruction ID: b682a6dbf909e7107736f79e39a9e7d851321b82dd27e621f7ab918b8817b2f4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 247cde20bcdce84041c678e060104ad2b121dbe35193262eab6759a0174021d3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4F09E36B0935017DF255967608076B6F5C9BD5260F11C07BDE088B382EFB0DC1282D0
                                                                                                                                                                                                                                                                        Function 044045B8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0690b6608ae94dca422879b7f41b8d66c3df8f879ff32d089a36ace12cb558bc
                                                                                                                                                                                                                                                                        • Instruction ID: 11e9357da6164d957cb90c0dc71823dbea031fe2e26b3e89e620c965ba9264e9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0690b6608ae94dca422879b7f41b8d66c3df8f879ff32d089a36ace12cb558bc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33F030757042414FDB119F38D85066A7BE6AFCA21030985AAE349DB3A1EB70EC169B51
                                                                                                                                                                                                                                                                        Function 044067F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2a6a90f35c4df01f9eed24f2249130ee4f579206198f9a26e189246ef7d8937e
                                                                                                                                                                                                                                                                        • Instruction ID: 1e728b0f2d2c9ad3b721bf4a93dc51da8474c3a9d4955d79eaf690ceddb23c32
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a6a90f35c4df01f9eed24f2249130ee4f579206198f9a26e189246ef7d8937e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F101FB70E0020CAFDF44EFA8E49159DBBFAEF88204B1085A9D515EB250DA34AF199B91
                                                                                                                                                                                                                                                                        Function 0440EA75 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 665269edff4cfb51b9a4852d00796ece460daa4ce5ee9a32958e61387763df07
                                                                                                                                                                                                                                                                        • Instruction ID: 93eadde554cd79aade4033ffb923187f93be7f1ded09f05fbb00ee477cd745fe
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 665269edff4cfb51b9a4852d00796ece460daa4ce5ee9a32958e61387763df07
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEF02E767093104FCB051B6CA45065EBBFBBFCD52072900BBD045DB392DE759C064766
                                                                                                                                                                                                                                                                        Function 04401431 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 01ab32983914854e24313e77e4b7be2d80706fa4bf0b8c793069e078195f288b
                                                                                                                                                                                                                                                                        • Instruction ID: e2caa0d10cb297db20a930e8700755a46b10b45d1308d7fc55da8c1ca50235d9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01ab32983914854e24313e77e4b7be2d80706fa4bf0b8c793069e078195f288b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18F0C230B05342EFEB195F7874A62663F99EEC9300705487BC1858F1A2FA38C908C790
                                                                                                                                                                                                                                                                        Function 044038B0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7fefce69d90905460a9e8acb463df85bc65f30cd35fe98babaf35de25bb883eb
                                                                                                                                                                                                                                                                        • Instruction ID: 69a0c073333d94ecdb820e902b3dbd64f0af6c617b0146787c424abcb7ac02d1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7fefce69d90905460a9e8acb463df85bc65f30cd35fe98babaf35de25bb883eb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9DF08C217187680EEF251E6915003AB2F990B46718F0181BBCC81CABC3E6F4E82693E2
                                                                                                                                                                                                                                                                        Function 0440C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5f47d110853e58a5eb5563cdc23681908a9be4c14564f6bb811540ea683c9a3d
                                                                                                                                                                                                                                                                        • Instruction ID: bb6707d6c08b00c22f2e7ad17fe4ac22fb272d00b801f4e085c9eefb31fab976
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f47d110853e58a5eb5563cdc23681908a9be4c14564f6bb811540ea683c9a3d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDF0E5363103128BDB18DA75E8805E6F7DBAF882A0304D6B6D909C7360EE71DC52C790
                                                                                                                                                                                                                                                                        Function 0440AB90 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 97f4eecca13ba07c622d12824d9ac9509e43dea8776c68f9954c56697dbef3f0
                                                                                                                                                                                                                                                                        • Instruction ID: 0965d4e30bdfbf6082c5a1aadcab77422e537f6d42bbbcaa79867fa0ff9773c9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 97f4eecca13ba07c622d12824d9ac9509e43dea8776c68f9954c56697dbef3f0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9F0A7313083408FDB159F39A884465BBBAAF9A22175481FAE509DB3A2D964DC058350
                                                                                                                                                                                                                                                                        Function 044036A9 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 789cd498686b544ff41281d27d54820af900b100124a15b53aced39201677a97
                                                                                                                                                                                                                                                                        • Instruction ID: 123131b5b0e1b3bcc0dc53be626170efcca16278bf95dd1c9fb1265e39fe1f69
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 789cd498686b544ff41281d27d54820af900b100124a15b53aced39201677a97
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BAF0A0B1E01106AF8F60DFA898002FABFF0AB08250B10887AC919E7340F23097138FC0
                                                                                                                                                                                                                                                                        Function 04404560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e6a2bb69ecda39c02a6317ae1dffd6bf5d0049e72f3b52e82620dcd3a368d2bd
                                                                                                                                                                                                                                                                        • Instruction ID: b4ba178ef65ddf607da4478c476a6576517231ed4b4efff86ee5051e83d35be1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6a2bb69ecda39c02a6317ae1dffd6bf5d0049e72f3b52e82620dcd3a368d2bd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5CE0ED313007082B9A15A669E85081EB7CADEC8260300843DE31ECB340DF30ED894399
                                                                                                                                                                                                                                                                        Function 04406AAF Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d26503d0c9fcde68ad6527bf9c6ed74761d17755ce00212ba770fbab422a9b1e
                                                                                                                                                                                                                                                                        • Instruction ID: e520d0a7b44e4e9bb31dd644cfcc7f37524d53903915ba1a92f0feaf2ee9179e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d26503d0c9fcde68ad6527bf9c6ed74761d17755ce00212ba770fbab422a9b1e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9F08C716042408FC711DF68C9809917BE6AF56214316C1AAE989CB7A3D325EC2ACF50
                                                                                                                                                                                                                                                                        Function 04405753 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d07976aa20f9a23217d7b9b6d8993d09ce888f83566953bfc2fea052a4b76578
                                                                                                                                                                                                                                                                        • Instruction ID: 8c63075cd49f72acc9860b22988d917d2c57485ca5e66e1463126e45abd0cbff
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d07976aa20f9a23217d7b9b6d8993d09ce888f83566953bfc2fea052a4b76578
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0E02B3210BB856FE713A7B4980159BBFBCDD81551B4449ABD088C7813DA754C0487F1
                                                                                                                                                                                                                                                                        Function 04403CFF Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0f222f1b40cc7b17fea3a74b599e6fca461d370522f7cc5d85c5baa179c90985
                                                                                                                                                                                                                                                                        • Instruction ID: 702c0be5cd0254c738a644ae620213ad53b955e7415d769c6fc10ecf6656f8d6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f222f1b40cc7b17fea3a74b599e6fca461d370522f7cc5d85c5baa179c90985
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FF02770809249AFCB11CF74A9221AD3BB5DB4530072085DBD849DB1A1C6315F559742
                                                                                                                                                                                                                                                                        Function 04403CC0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 256d38dbdeab3a6d871f934a9fb64458878cc313381842637f660bb02ea2d4c9
                                                                                                                                                                                                                                                                        • Instruction ID: ddd67850353747165e341c5405e8d9721973f93c02ac883d8a05cc1d8570f1fe
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 256d38dbdeab3a6d871f934a9fb64458878cc313381842637f660bb02ea2d4c9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5AE0D13770D2501F8F551D9C241907D7F6ACBC551130445BBEA46D7783CB315D165352
                                                                                                                                                                                                                                                                        Function 0440C678 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f04e99e11950851bc6b0af4ad8bade26860f9f198a42da2e8899c9f0285f9b0d
                                                                                                                                                                                                                                                                        • Instruction ID: 4dcfbb74012a260497b0757460b80a0b3237d7e8cd75ea9e174ea44bb7d59714
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f04e99e11950851bc6b0af4ad8bade26860f9f198a42da2e8899c9f0285f9b0d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24E022362053028BCB2A8B7048940A2FF629E8225031AEBF3CC009A392CB30D853C350
                                                                                                                                                                                                                                                                        Function 0440C1D0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b8b39c8b1cf1d74e3ce4f3c59edae5ca8acd39ebe75a083d026c538011499d84
                                                                                                                                                                                                                                                                        • Instruction ID: ee5c4deb03dd5e24ccb69ababb6632daf015dc2ac348d7b8dc41ecb957d7f823
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8b39c8b1cf1d74e3ce4f3c59edae5ca8acd39ebe75a083d026c538011499d84
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ABE022312043408FCB19EB68A0541AE3BEBEFC6325704092AE586CB242CA702C028B61
                                                                                                                                                                                                                                                                        Function 044046A0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2625f2265eb3d9e0bf9029e48aec3b39efe24ab92abb7ffe2a29188ac01958d1
                                                                                                                                                                                                                                                                        • Instruction ID: fd3f8e425564049305622fb97699ceaf5ca3c9b888665795ca8351da342805a1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2625f2265eb3d9e0bf9029e48aec3b39efe24ab92abb7ffe2a29188ac01958d1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4E0D87180F3C55FC312CB2086855C17F609D1320030A05DED4945F222C1954A01D342
                                                                                                                                                                                                                                                                        Function 044036B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                        • Instruction ID: 9745426bc5c346080df0e484817b5d83b7097febd95e9ecc1cf741aec4f3fa43
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14E0ED70F0021ADF8F50DFA999001AEBFF4AB48140B10C57AC919E7344F231AA128BD0
                                                                                                                                                                                                                                                                        Function 04403C89 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ba18361416fceb2bf47b547083f6e8782a0b90c52249ebbc59e490e86b838fb9
                                                                                                                                                                                                                                                                        • Instruction ID: 0297c5081e277d1bae2878b82951306d909c795fa75ace431e01e9cfa65af82c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba18361416fceb2bf47b547083f6e8782a0b90c52249ebbc59e490e86b838fb9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37E0867674D2848ADF154F79642C0B93F258A9115930944F7DA8BCF692D13594359350
                                                                                                                                                                                                                                                                        Function 04402998 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a70767f7147b82e83e26fa8ea5667eef0859beb04345bb58481eef352cc96326
                                                                                                                                                                                                                                                                        • Instruction ID: 4ddb940a99f238388d0a2653e80e9ad7fb5a92080b560d093d42995d0799dbf5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a70767f7147b82e83e26fa8ea5667eef0859beb04345bb58481eef352cc96326
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9E086715093405BF3156730F9937C93B61EB89208F158556E4415E1A6DE617D0B47C5
                                                                                                                                                                                                                                                                        Function 0440C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 85cbe9433e1b92d2505034ed6a94018f2765a064d9de39bfcba1682eef49bac1
                                                                                                                                                                                                                                                                        • Instruction ID: e5ca1261dd8626adcf0abdb108d926a37a4dc9631d75d376e78bfcecdacc8c79
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85cbe9433e1b92d2505034ed6a94018f2765a064d9de39bfcba1682eef49bac1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74E0C23130070457C614B758E04455E7BEAFBC9764B44082DE54AC7700CEB1BC018B95
                                                                                                                                                                                                                                                                        Function 04406AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9ab7b78e15de250cb86f3c23743ee9d271cd46e70bd32f94c2c0c5982db9d883
                                                                                                                                                                                                                                                                        • Instruction ID: b1383675c296e50ecbbc88620a4bf6e14ddb0d73c52c64d0aa5417fc992d4d82
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ab7b78e15de250cb86f3c23743ee9d271cd46e70bd32f94c2c0c5982db9d883
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00E08C313002048FD300DF5CD880C82BBE9EF5A210355C0AAE949CB312C722EC22CF90
                                                                                                                                                                                                                                                                        Function 04403CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9a41908425dfe926758432cddbb0e36b6aab7caeceb5b4bdd21b2b028f0c8d8c
                                                                                                                                                                                                                                                                        • Instruction ID: 40e1b8d553ab09c1b32693fa2cb46c726af74dde748370ff6e33f14b183723c0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a41908425dfe926758432cddbb0e36b6aab7caeceb5b4bdd21b2b028f0c8d8c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03D0A73A300124170A44259E741D52E77AFCBC9D61308013FFB0BC7340CF615C1513D5
                                                                                                                                                                                                                                                                        Function 044046D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 47d91c9047dd2284b37c633adfb096a9c6f79273bb4e4493dad252a760f9663b
                                                                                                                                                                                                                                                                        • Instruction ID: 92cab500f6831b6db24b2873d7b013772a773cf6ab31c28f30e07a639e6070a8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47d91c9047dd2284b37c633adfb096a9c6f79273bb4e4493dad252a760f9663b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81E0B674E0430CAFCB44EFE8D44459DBBF9AB49300F0081AAD819E7350EA345A048F81
                                                                                                                                                                                                                                                                        Function 044017F0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 383d80db828895aab7775cbfef2595a575a766f9873385b69d76c0193876dba5
                                                                                                                                                                                                                                                                        • Instruction ID: b64b043408070b525336beafb8db3d566ede81ee21fe472135bbe99366217448
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 383d80db828895aab7775cbfef2595a575a766f9873385b69d76c0193876dba5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37D02E3238D2504FC309E7A0B4870D57F74AB96230304806BE8058B2A2CC210C93D3C2
                                                                                                                                                                                                                                                                        Function 04403938 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f75c8a5d08e6ba105efa7b4d8d08d3b6482582c4f9b5c69b259d698bf3c5be65
                                                                                                                                                                                                                                                                        • Instruction ID: 5f41312e69d743a362ebb9be09cd3b240b283e86676d088c86e27ac51cdb231f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f75c8a5d08e6ba105efa7b4d8d08d3b6482582c4f9b5c69b259d698bf3c5be65
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44D0A717F4E3606BCF146AB434146A96F5DCB46A21F02C4F7DE0CAB783E9789C114390
                                                                                                                                                                                                                                                                        Function 04400C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e35a4b0d6591b68a640b8d597dda23b496c52f838292317bd7d2103481edc37c
                                                                                                                                                                                                                                                                        • Instruction ID: 4744ee28f5be2bcf4c10a40189330683ce43e3d601794f43c898d2d7374dbe7f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e35a4b0d6591b68a640b8d597dda23b496c52f838292317bd7d2103481edc37c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17D0A7323581186B96187655E845AAA77A9E799361350C437F90383260DD717C11A396
                                                                                                                                                                                                                                                                        Function 0440BC88 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: efab3ce4ad2ca10f1c28ab329e6120968e6b10dc52605ae3de12f31bd91a314b
                                                                                                                                                                                                                                                                        • Instruction ID: d83423aab19548e8ae4083aee1e8d3115fd3d886e0b55b924ad990cfe4100215
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efab3ce4ad2ca10f1c28ab329e6120968e6b10dc52605ae3de12f31bd91a314b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62D0C9327142186B9B249AA9A844ADB7BEDDB44660F00407AE90DD7280EA75B9408699
                                                                                                                                                                                                                                                                        Function 04403D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3d75beb4ee28b4898bfd58d8ed7dcac55d027fc7ac204a6a50fa3f747d558a63
                                                                                                                                                                                                                                                                        • Instruction ID: 061717f6a2a40ecbb1feedb8d6554b57dbd8ff4efa18f253afa88b40c9636ff6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3d75beb4ee28b4898bfd58d8ed7dcac55d027fc7ac204a6a50fa3f747d558a63
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2BD05E70A0120DEFCB44DFB4E95159EB7FDEB49204B1045AAD909D7250EE316F109B91
                                                                                                                                                                                                                                                                        Function 0440E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 594c5f56d5e3a741e05f59fe602e5a64d4e706214be9390c5208bdf2dd508900
                                                                                                                                                                                                                                                                        • Instruction ID: fb15d9c3ab02c5dd6cfff7660589ef4019e8c03b13d12b6321e50977044321a4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 594c5f56d5e3a741e05f59fe602e5a64d4e706214be9390c5208bdf2dd508900
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CEE0EC3060520ACBDB249FE0C5646AEBB72BB04705F30882AD905A6284DF745516CF41
                                                                                                                                                                                                                                                                        Function 04402968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 04a55028541796c828a68e9a352005f1814604d8837e2ef6929495d4504e6682
                                                                                                                                                                                                                                                                        • Instruction ID: 3e4068664c9dc754978fbe4c829863be78470c516531985149c08cb29a47d086
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04a55028541796c828a68e9a352005f1814604d8837e2ef6929495d4504e6682
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7D05EB0909209DFCB04DFB4E90599DBBF9EB44200B2086A5D405D3220EA719F00DB80
                                                                                                                                                                                                                                                                        Function 04400440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2a5d14481b0dd4139c739ec68771a432e2bbca6721f9eca92f00238556b5a98d
                                                                                                                                                                                                                                                                        • Instruction ID: fb41f0b08a9cf25a81b89b7c5edceb80a672ade2626bf087389353c60957a40a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a5d14481b0dd4139c739ec68771a432e2bbca6721f9eca92f00238556b5a98d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8C08CF7B58B419FE3110A0818926EE77F0FEB231A387C56AC0C484847A22A20A38325
                                                                                                                                                                                                                                                                        Function 04403C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 54bd590cfc79fc3877f7bd528b6ec8d228bb13fc283673dc8496529d74bcc012
                                                                                                                                                                                                                                                                        • Instruction ID: 229cb4e488d8bf22ba08ce4fba099c73f3dba6830665345c94d0d21e0062321d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 54bd590cfc79fc3877f7bd528b6ec8d228bb13fc283673dc8496529d74bcc012
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9D0C9317182048BDF589F64E5695657BA99B8860830488ADA90AC7381EB36F9228640
                                                                                                                                                                                                                                                                        Function 044046B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f3aae4dd26f76cd20135739b69d4936922427351ee8ca84c652907b83db70d7d
                                                                                                                                                                                                                                                                        • Instruction ID: 8e3793a8d7760bfd76608f9967495616876efe4dd0e6e5a02aecf0fde0480619
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3aae4dd26f76cd20135739b69d4936922427351ee8ca84c652907b83db70d7d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FBB0927090930CAF8620DA99980195AB7ACDA0B210B4001D9E90887320D972A91057D1
                                                                                                                                                                                                                                                                        Function 04400E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1443314391.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_4400000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ca6bec001e01c2da83540376303519b97835b4c27b878d254ce26bf01f1ac959
                                                                                                                                                                                                                                                                        • Instruction ID: e4d7b5eac7ff2e0c7dd490da1af304a57c9f3dc1a0ca988d00e17e3f3ac2531e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca6bec001e01c2da83540376303519b97835b4c27b878d254ce26bf01f1ac959
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8B0126960410113B900B6324CD476601925AC0304BC4EC272003640495D39F0112005

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 072C50B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1d70b3b10f16a763855a80085f2ccc7fa8f633e83d0e250d21348e8681e921ea
                                                                                                                                                                                                                                                                        • Instruction ID: b3cf0d53d06419cf76db8c49e2695471d6b49c763516f7b4800ee92e12da7dfd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d70b3b10f16a763855a80085f2ccc7fa8f633e83d0e250d21348e8681e921ea
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CDB14FB0E1020ACFDB14CFAAC88579EBBF1AF98314F24862DD815E7254EB74E855CB51
                                                                                                                                                                                                                                                                        Function 072C59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: badb26ed6642b1e50100766efb2fcf5a45c084566101753490612dfe50f42e8f
                                                                                                                                                                                                                                                                        • Instruction ID: f18e467fcf0580111fa3a333105407e34400a0c70a4c7384e035ecfb553674f2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: badb26ed6642b1e50100766efb2fcf5a45c084566101753490612dfe50f42e8f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6B160B0E1020ACFDB10CFAAC88579DBBF2AF98314F24862DD415E7254EB74E955CB91
                                                                                                                                                                                                                                                                        Function 072C50AD Relevance: .3, Instructions: 318COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1747bb402918a1fce92bfe61892c8c9bdf0dd93eab6b2be8a76fc6c0dc28ee02
                                                                                                                                                                                                                                                                        • Instruction ID: 8bc5ab597b05be6915866d5d40540be4f1071adad22c28ec283d55c02d85915b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1747bb402918a1fce92bfe61892c8c9bdf0dd93eab6b2be8a76fc6c0dc28ee02
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1C14BB0E1020ADFDB10CFAAD8847ADBBF1AF58314F24862DD815E7254EB74E855CB91
                                                                                                                                                                                                                                                                        Function 072C599C Relevance: .3, Instructions: 269COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c782de8ee29822e00602dd2c590725067b13550fcb95fbd62c56037fb23db9cc
                                                                                                                                                                                                                                                                        • Instruction ID: 4c246ba64cb9aa845f9e4fcb9fcb377253db070026ebdefc59d4001b56cad36d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c782de8ee29822e00602dd2c590725067b13550fcb95fbd62c56037fb23db9cc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67B15CB0E1020ACFDB10CFAAD88579EBBF1AF58314F24822DD815E7254EB74E955CB91
                                                                                                                                                                                                                                                                        Function 072C1080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2cd0a935dd0f461fbc588d0a5fc2b20873d03f73d4bb1f67907e99fe89fd9aff
                                                                                                                                                                                                                                                                        • Instruction ID: 2644d89f68959f688bc3c5258aad2231532c8a7cb4dd08c8f1aa2ff415755ec2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2cd0a935dd0f461fbc588d0a5fc2b20873d03f73d4bb1f67907e99fe89fd9aff
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9071E7B5B20219DFEB14EBB5C8547AE77A7BFC8200F148129E506EB3A0DE75DC128751
                                                                                                                                                                                                                                                                        Function 072C5705 Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ab1ee1926b6ac7f4376ab3acfeb8e5ac86c6d43e32743701fdb7662939347ca0
                                                                                                                                                                                                                                                                        • Instruction ID: ad0eb8a67a0c6858d658c8af33ffdb77fa42487e889cf5c420f095bcebaaa3e3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab1ee1926b6ac7f4376ab3acfeb8e5ac86c6d43e32743701fdb7662939347ca0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8717CB0D1020ACFDF10CFAAC9857DEBBF1AF48314F24822DD415AB254EB74A995CB91
                                                                                                                                                                                                                                                                        Function 072C5710 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c915311deaa2b9fe702a05774a6edd2fba3892745a6e31ae0cb97954fed3e790
                                                                                                                                                                                                                                                                        • Instruction ID: 05e7b832222e82c09d133d36a12b51f019020a9f158845a24ee561aca1fbc8c7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c915311deaa2b9fe702a05774a6edd2fba3892745a6e31ae0cb97954fed3e790
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F717FB0E1030ACFDF10CFAAC84579EBBF1AF48714F24822DD415AB254DB74A995CB91
                                                                                                                                                                                                                                                                        Function 072C1630 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6a8729f6c7b3775a891bdc3bb2f21ad6e61715261cd6d0c1bdc9fa5c7d40d1b6
                                                                                                                                                                                                                                                                        • Instruction ID: a0c874ed909118f7b912c1421811fd72d01ae042824c9c24a8e47454d2ca15cb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a8729f6c7b3775a891bdc3bb2f21ad6e61715261cd6d0c1bdc9fa5c7d40d1b6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6951F0B1B1024ACFCB15DF79D8416AEBBB6BFD9250B28822AD844D7361DB30DC12C791
                                                                                                                                                                                                                                                                        Function 072C0E8C Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f1b5e4afc41486e643fc41e8db3b49858e40f1bd22df76451244e35e47d3d6d0
                                                                                                                                                                                                                                                                        • Instruction ID: 11657476be4859bc14c106fdb5ab4654e768704314c5febc2efb6b30afae6cbd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1b5e4afc41486e643fc41e8db3b49858e40f1bd22df76451244e35e47d3d6d0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 984138B1B20205DBE718EA7998A576E779AEFD8200F14422DD906EB381CE759C12C7A1
                                                                                                                                                                                                                                                                        Function 072C1F08 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 210c425ffbc291f11c394dadfef3bbd16c74950de5ca64a5132b12794385dcac
                                                                                                                                                                                                                                                                        • Instruction ID: 3f34615fb7c82f9e19f1a441320631bded89b279794b6c98025f39bc243fe4f1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 210c425ffbc291f11c394dadfef3bbd16c74950de5ca64a5132b12794385dcac
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2317CF670834A9FC725D636785762A7F5DDF91250B1C025FE604CF156DA229830C3B1
                                                                                                                                                                                                                                                                        Function 072C0C1C Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8a8f732eed37ef5ae56dec2519ffe126e07cd5bea19d6db723de3d04840bf8cf
                                                                                                                                                                                                                                                                        • Instruction ID: 7976d422fd2b8e583a6f8ee6431dda4f795228a76e8749f7455074414f20d8a9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a8f732eed37ef5ae56dec2519ffe126e07cd5bea19d6db723de3d04840bf8cf
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76317BB07283899FE715E77998653AE3FB69FCA200F14429EC401E72C2CE755C048793
                                                                                                                                                                                                                                                                        Function 072C2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4797a7df21de9e4cd19c95771e48ebfeb46aad010fcf1fb48be8bffc8a93e172
                                                                                                                                                                                                                                                                        • Instruction ID: 13e7582bc0b88f5298a32b021cbe92b04ba9def65e2b848eb1b7e2bea4dd50e6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4797a7df21de9e4cd19c95771e48ebfeb46aad010fcf1fb48be8bffc8a93e172
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1410575B10209DFCB54DF69D98099EBBF2FB98710B14816AE905EB320DB31DD42CB90
                                                                                                                                                                                                                                                                        Function 072C1072 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 431e3851487fb0d1d2321cc1252574d6dedac94ee5429234d5692ecfe825b5b9
                                                                                                                                                                                                                                                                        • Instruction ID: 94da69926e9e80f7415bb5086a0639578db7b1f830e13f9889bb89a9c3918a9f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 431e3851487fb0d1d2321cc1252574d6dedac94ee5429234d5692ecfe825b5b9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8215EF6B202059BDB10DEB5C8457EEBBE9EF88250F14412ED906C7381DE75CD258791
                                                                                                                                                                                                                                                                        Function 072C2258 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 22180b01405c9cc12a96db7ab1fee5a19f2d826c4cecc38639f7442679551fa4
                                                                                                                                                                                                                                                                        • Instruction ID: 1022cd100815274e89212777c8bc5fc22ac1140593268965347460eddcfaa9b0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22180b01405c9cc12a96db7ab1fee5a19f2d826c4cecc38639f7442679551fa4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02211575A10219DFCB54DF79D88499EBBF1FF9D710B10826AE905EB320EB319941CB90
                                                                                                                                                                                                                                                                        Function 072C2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d0a5b3eb2ada948392c2cd2cdc6633472509b8ff0f81dfcbae31a9c61ffcadd3
                                                                                                                                                                                                                                                                        • Instruction ID: 378b616e3a2a6a7f0298b1e284dd5c9dc2317045966de2a8d0f7418b2beb9e44
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0a5b3eb2ada948392c2cd2cdc6633472509b8ff0f81dfcbae31a9c61ffcadd3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69119EB5B10215CBDB58FBB850202AE7BE6ABC9651B10057DC60AD7380EF348D428BE2
                                                                                                                                                                                                                                                                        Function 072C1378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b6ce96901a224d504a1433c07882afca49541f2fe5ed6feade99de5af8aa07cb
                                                                                                                                                                                                                                                                        • Instruction ID: d23cc4a83bea5ada749f09477389cb08b6dd737c8102d10e23c4d56fb8f6337f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6ce96901a224d504a1433c07882afca49541f2fe5ed6feade99de5af8aa07cb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5621F0B19042498FDB20DFAAC884BEEFBF0EF49214F14852ED459A7240C7755945CFA1
                                                                                                                                                                                                                                                                        Function 072C1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9379f55543cab59932f855f655d2ff92406a1f9bfc14ed3c7d77147c107132d4
                                                                                                                                                                                                                                                                        • Instruction ID: d32ae0dbd1f147f7fa312dc10076af222b2acb5e0326895f87592759967626b5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9379f55543cab59932f855f655d2ff92406a1f9bfc14ed3c7d77147c107132d4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4411F2B5D042098FDB10DFAAC885BEEFBF4FF48214F14842AD559A7240C7796905CFA1
                                                                                                                                                                                                                                                                        Function 072C2B08 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 83455527b6cab3ed68cacdfbec79fea6e8271c80ca150bf17ce164c8e482a770
                                                                                                                                                                                                                                                                        • Instruction ID: ab335b973db4c8b4986b1c1a5b4e07cfd7aed1418b904246254a35bb497c1366
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83455527b6cab3ed68cacdfbec79fea6e8271c80ca150bf17ce164c8e482a770
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9901D2B5B10252CFCB54EF7890643AE7BE2AFC8641700027DC909D7344EF34CA428BA2
                                                                                                                                                                                                                                                                        Function 072C2A68 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a66e62fc455526f44f4346bc812791617ae69fdf346620d9b9bc6129d1afaa65
                                                                                                                                                                                                                                                                        • Instruction ID: 16d99b859652ef9a820c0343f6918cbb02fc759e8a280d30c727c2e342404dce
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a66e62fc455526f44f4346bc812791617ae69fdf346620d9b9bc6129d1afaa65
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58118B76B10202CFCB14EB7CD546AAE3FF1AB89715B24013AE549DB350DB35D912CB80
                                                                                                                                                                                                                                                                        Function 072C1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f948ceb7d277bd26bc0e6c2f6070e6e7a23dcdc56141110ee2cd27dad94f88c9
                                                                                                                                                                                                                                                                        • Instruction ID: 2f25ebb5c858998276df5ebfcc3a71fc45fb5eb83e0a04513a6c73ef9c4bac2c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f948ceb7d277bd26bc0e6c2f6070e6e7a23dcdc56141110ee2cd27dad94f88c9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2119431601204EFD744CF55F45AAA97BB6EF8C310F244029E419E7340DF7A9865CB90
                                                                                                                                                                                                                                                                        Function 072C182A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 799d6830926adf52cc642da7d2d213c956f7960af28bfd3409fa2e8df9d1a7a8
                                                                                                                                                                                                                                                                        • Instruction ID: cbe7bf5e86a2bc857e2840204cac558f5749c56582072dd6da7746c9efecd8ad
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 799d6830926adf52cc642da7d2d213c956f7960af28bfd3409fa2e8df9d1a7a8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D501F7F1A2411ED7EB28EA6899557BF7BFA9BC9300F10426ED401A3385CE711C048BE2
                                                                                                                                                                                                                                                                        Function 04CDD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000002.1451918703.0000000004CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CDD000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_4cdd000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 65f5e06f55b2a8c9886cf4df42c627e3f2a561eac70a6ddab2183f37c10cf4d8
                                                                                                                                                                                                                                                                        • Instruction ID: d1e3cd1cd058724f0621277a509536ef7c2c50d0c565ab51e9e87b174e44c0b3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65f5e06f55b2a8c9886cf4df42c627e3f2a561eac70a6ddab2183f37c10cf4d8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC012B31904300AFF7104E26DDC4B67FF88DF81321F08C11AEE0A4B282D679B945C6B2
                                                                                                                                                                                                                                                                        Function 04CDD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000002.1451918703.0000000004CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CDD000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_4cdd000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d1b61c72ec429a9d3d713db5c285491284401266ea45996c961fdd9e112d5434
                                                                                                                                                                                                                                                                        • Instruction ID: 5dbf4bf847ce39b84608dc505d1d1fa015eee4f376de2a81d0a924fceba3dc09
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1b61c72ec429a9d3d713db5c285491284401266ea45996c961fdd9e112d5434
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4019E7140E7C05FE7128B258D94B52BFB8DF43224F19C1DBD9888F2A3C269A849C772
                                                                                                                                                                                                                                                                        Function 072C1440 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cd3228b9fd214eba11e0d791998ec4e2df61c1c4a71a7a20b41bbcf0fa7495f6
                                                                                                                                                                                                                                                                        • Instruction ID: d9b9f6d3bf623dad72bab34bab0f6d807bc78b985523b05aad9a380c7ff3dff0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd3228b9fd214eba11e0d791998ec4e2df61c1c4a71a7a20b41bbcf0fa7495f6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1801F7B061A3898FE71B9779746A2563FA5DEC720030905ABD181CF1D2FA248424D791
                                                                                                                                                                                                                                                                        Function 072C2997 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: aad933164c3a0ec51bfdc61a3fddeebdb29efe780317a09fbf320a705f6e4af3
                                                                                                                                                                                                                                                                        • Instruction ID: b91c23799ee87426de56f4c33f519d79c820653dd2080249b3fdc86ad229e8df
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aad933164c3a0ec51bfdc61a3fddeebdb29efe780317a09fbf320a705f6e4af3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC0128712213428FDB09BBB0ED4564A3F72EF85214704817FEA428F692DF72E84287D2
                                                                                                                                                                                                                                                                        Function 072C2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f04cedf03a016e23d78f9c4c734dd0af549f27df0ebfcf0722c5874dea318959
                                                                                                                                                                                                                                                                        • Instruction ID: 85543e03a16825b76850fe5b0d9c35f9632a3ef6590c41a3eeea044c736989f5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f04cedf03a016e23d78f9c4c734dd0af549f27df0ebfcf0722c5874dea318959
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4016979A10215CFC704EB7DD4056AE3FF1AB89715B10007AEA4ADB350EF359D02CB90
                                                                                                                                                                                                                                                                        Function 072C1431 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1bc38ea1f9cc4aa76426488c19d66ae68fc6909d8537742abbd7feefb5bbe45e
                                                                                                                                                                                                                                                                        • Instruction ID: 0526c7c557eda47375dcce40a3da51dedafd79b14c0a67220dad2ad9130e6d93
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1bc38ea1f9cc4aa76426488c19d66ae68fc6909d8537742abbd7feefb5bbe45e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34F028B07053468FEB1ACB7AB46B2263F99EFC620030806AED041CF1D2FA248420D7D1
                                                                                                                                                                                                                                                                        Function 072C29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 81c02bd683c3c6b4845717fc8f778584f7bba3f683f1040465dd18176d41c89b
                                                                                                                                                                                                                                                                        • Instruction ID: ce11caec0541b742a4346cebdc0d24a2995a13e7e09ccb24cd466cdd65ae4f4f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81c02bd683c3c6b4845717fc8f778584f7bba3f683f1040465dd18176d41c89b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98F0B470311312DBD708ABB1ED0665E3B76EB84214704C53EE6028FA50DF76E84197D2
                                                                                                                                                                                                                                                                        Function 072C2A20 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 82283564cd888a4144b025ef9e1ab55f03308f57bf76a007fba723de2ceab834
                                                                                                                                                                                                                                                                        • Instruction ID: 1fe5915d42b7700ed669073591a65f5b79dce2d7514928754709867741092898
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82283564cd888a4144b025ef9e1ab55f03308f57bf76a007fba723de2ceab834
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73E0D87131F6E28FC71A5B34B8191B93FF86E8352030942EFE006D6182CF1E8A418355
                                                                                                                                                                                                                                                                        Function 072C5EB0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 027a93ae734f899852f3d9effb896a3cdea292c00fafc069388586e1505d09aa
                                                                                                                                                                                                                                                                        • Instruction ID: 8b82f9ec43096aa4f39fdaa5ab37ec0d4ed883a5428757e7c08efed6804b107c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 027a93ae734f899852f3d9effb896a3cdea292c00fafc069388586e1505d09aa
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45E0C2322493914FC7029B7CE4648957FB89F4B62872A01D7E584CF667CA51AC508795
                                                                                                                                                                                                                                                                        Function 072C2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 316a7db9e88aff7fe21da53f5e4d04c0469bab65d2cde8cac71e062f1fa79698
                                                                                                                                                                                                                                                                        • Instruction ID: 93c6136db980ee66ef147efc7db9c20b4b121bcb49dbf27535c4dea5c5b95e4a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 316a7db9e88aff7fe21da53f5e4d04c0469bab65d2cde8cac71e062f1fa79698
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DFD02B7032B926C7DA181536780D2BE35EC6B41661B05813FF40AC2280DF4ECA414384
                                                                                                                                                                                                                                                                        Function 072C17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b8d97a0efa43c42110db615428acec6221305abccfc6118ffcbe439270c7fa76
                                                                                                                                                                                                                                                                        • Instruction ID: 9e41c1d4a93f3ad80b706bf204c885ce832d0ddb776cfc98309d1f75963eea40
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8d97a0efa43c42110db615428acec6221305abccfc6118ffcbe439270c7fa76
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0E0C23211D3859FC3069F36EC554957FB8AB6A21031801A7E981872A6DA216D21D792
                                                                                                                                                                                                                                                                        Function 072C2959 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e14a82ac2035526733d610f687c8a378c7b90310cb7c324cd4bc6d4f112d4aff
                                                                                                                                                                                                                                                                        • Instruction ID: 5638b104b7b4548ec3a3f61e1383d2448a00137a3e63fe2a179c3df77ff56556
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e14a82ac2035526733d610f687c8a378c7b90310cb7c324cd4bc6d4f112d4aff
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10E01AB090A2868FCB05CF78E959558BFF5EF4620472146EED854D7252DB309A15CB41
                                                                                                                                                                                                                                                                        Function 072C0C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 647109d277d3ae9960581e9e0118c13f95b0628ca37ac81765084bcbecc25901
                                                                                                                                                                                                                                                                        • Instruction ID: 8a8c922a0ca988ecab8d7c2aaa7da8c5a92bc09509535efe07efdc88298f6a80
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 647109d277d3ae9960581e9e0118c13f95b0628ca37ac81765084bcbecc25901
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3BD0A7713316209BC200A35DD4509693399DB4E714F50055AF10ACB360C9A3FC000389
                                                                                                                                                                                                                                                                        Function 072C0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e3c08b286ce5b793838299065e1b17ae324c7d568fc5d9486e386b32caf8cc9d
                                                                                                                                                                                                                                                                        • Instruction ID: aa248a1d6f02ddb8a18d5b70641be87ea3e891704f73c1ea80680bd38ad78e3b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3c08b286ce5b793838299065e1b17ae324c7d568fc5d9486e386b32caf8cc9d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9D0A7B223411CAB8200B656DC4696A7BA9E7A9261B504637F90683350CD71AD2183D7
                                                                                                                                                                                                                                                                        Function 072C2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 71e793a44959106af1860ad0df556babadf3238e349da48cf8902de2a79f24a2
                                                                                                                                                                                                                                                                        • Instruction ID: 0b812c087dbd7ad6e1669d3f0f8f0dfe6cb3c0378b3edde49bd3ae7b2f021dff
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 71e793a44959106af1860ad0df556babadf3238e349da48cf8902de2a79f24a2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94D05EB0901209DFCF00DFB5E90595DBFFAEB44204B2086A9D805D3210EE319E019B80
                                                                                                                                                                                                                                                                        Function 072C0440 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1451166618.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_72c0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cfb36bd41aeaf7c4fe992cb3effbb6e8e6a37e57abec1576217a912dd94d7700
                                                                                                                                                                                                                                                                        • Instruction ID: 7d96b78c027552cd978dd43fed33b3fb4565ff28e53038bec9314237ee08d4d1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cfb36bd41aeaf7c4fe992cb3effbb6e8e6a37e57abec1576217a912dd94d7700
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BD0C93610A2914FCB038B64A9864D1BF71AB1232671903D6D04085466C62A4994C762

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 00007FF886A0C922 Relevance: .5, Instructions: 462COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 981484d12e41123d4a8c77211b765a45937f0aac5516e681b3efef73ec4d091a
                                                                                                                                                                                                                                                                        • Instruction ID: 20e292a7ee9cbe026b222faf5f264ad4430ab143c5bba7658b47685584f8b03a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 981484d12e41123d4a8c77211b765a45937f0aac5516e681b3efef73ec4d091a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FE1B530908A4E8FEBA8DF28D8567E977D1FF55350F14426EE84EC7291CE78A941C782
                                                                                                                                                                                                                                                                        Function 00007FF886A0172D Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6939076f29d3764a42a27dfa440b360bf701d62f4d79fa575f2f26eab1c09562
                                                                                                                                                                                                                                                                        • Instruction ID: c1df39ee121adf7aa62dcfdaa50f7e0020807bf636ae6a717f8d836ab32708ec
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6939076f29d3764a42a27dfa440b360bf701d62f4d79fa575f2f26eab1c09562
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17417930D1852ACFDBA9DB58C4957E9B7B1FF49340F5042B9C00E97285CA38AE89CF41
                                                                                                                                                                                                                                                                        Function 00007FF886A01FAC Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 00d8b27d949c0223d7ec249cbb688777814274aa53de032202eba9784181fd12
                                                                                                                                                                                                                                                                        • Instruction ID: 2ecc0e30d36f2830eb99415d993fa6e441241e096f135bda58307b72a013075c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00d8b27d949c0223d7ec249cbb688777814274aa53de032202eba9784181fd12
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC11A971C0861A9FE7A59B28C8963F9B3B5FF44650F5400FAC00CA32A2DE382E85CF41
                                                                                                                                                                                                                                                                        Function 00007FF886A01A35 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0d07206ad8e9e27ddf7c6aa5970a2956db77724449b1a8a6d65394e959f51387
                                                                                                                                                                                                                                                                        • Instruction ID: f1e911f5e9b59408cec5f55fc05b2482af508e45c77da13c1c67fd51fa95b3bf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d07206ad8e9e27ddf7c6aa5970a2956db77724449b1a8a6d65394e959f51387
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4012C30C5D256CBE3559E6084963F9F2B4BF07380F6024B9D00A67192DE7C9D84DB49
                                                                                                                                                                                                                                                                        Function 00007FF886A0596C Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: M_^
                                                                                                                                                                                                                                                                        • API String ID: 0-3807191693
                                                                                                                                                                                                                                                                        • Opcode ID: 55b75df9fc2ace567ac64cf62c60740babe0072dd0c9f9dfaef0c28910bc935f
                                                                                                                                                                                                                                                                        • Instruction ID: 5a9ff875878405d0f2aab89773f33163e33a8eb60477a876073cde11e9ef3b7c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55b75df9fc2ace567ac64cf62c60740babe0072dd0c9f9dfaef0c28910bc935f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90B12926A1D7964FE3566778A9571E87B90FF42271B4806FBC088CB0D3ED1D6845C3A3
                                                                                                                                                                                                                                                                        Function 00007FF886A04A53 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: r3X
                                                                                                                                                                                                                                                                        • API String ID: 0-1797456553
                                                                                                                                                                                                                                                                        • Opcode ID: 88740b90b24811d8f9272e9631d671fe6edbf0b227cb18bcd44be10f63b73d98
                                                                                                                                                                                                                                                                        • Instruction ID: b24f5efcba8928da6f2e20b86e38d7936822d3e8b06fcf91805325ac310d54d6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88740b90b24811d8f9272e9631d671fe6edbf0b227cb18bcd44be10f63b73d98
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5511D630A1460ACFDB44EFA8D856BE9B3A1FF45740F514579E00DD7282CE39A841CB42
                                                                                                                                                                                                                                                                        Function 00007FF886AF0853 Relevance: 1.0, Instructions: 963COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1517217248.00007FF886AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886AF0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886af0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 23f1c290fb46f67a2a8214b66dd184bf11271eb3934c801e83f34d5af14195ae
                                                                                                                                                                                                                                                                        • Instruction ID: af9ecb526d4bc629d2fc0acbd08a10063fd8ef428fda14cc8e4e4cee61ada1dc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23f1c290fb46f67a2a8214b66dd184bf11271eb3934c801e83f34d5af14195ae
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19F1E530B0CA494FE7A9972C98AA6797BD1FF56710F0401BED08EC71A7DD18AC42C782
                                                                                                                                                                                                                                                                        Function 00007FF886A00E5C Relevance: .6, Instructions: 577COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2e9ceea0557b2df660209080f1b52ef47175c9f32abbf388b5db1cc4c175a2db
                                                                                                                                                                                                                                                                        • Instruction ID: bbae240f1df0435a40328e0b13ece35fb5ca8519d2b13ab9233f7e2303a288ad
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e9ceea0557b2df660209080f1b52ef47175c9f32abbf388b5db1cc4c175a2db
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5224770918A1ACFDB99EB64C4957E9B7A2FF59304F5005FDC00ED7292CA39AD81CB12
                                                                                                                                                                                                                                                                        Function 00007FF886A0B679 Relevance: .4, Instructions: 416COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b66d51a3f5baa2b99e4f398700787de5606e58b65608ee5ae06b21351c2dfcc7
                                                                                                                                                                                                                                                                        • Instruction ID: 4a750b96b294e689c05a78715a0506d4806ce96d753bcb9a4c3d023395d1df7e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b66d51a3f5baa2b99e4f398700787de5606e58b65608ee5ae06b21351c2dfcc7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AAD1C530918A8D8FEBA8DF28C8567E937D1FF55350F04426EE84DC7291CB79A945CB82
                                                                                                                                                                                                                                                                        Function 00007FF886A06770 Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cd2c40a7ecc9b88cbf1d242f5b64be07f02c691cd47179d78011e644ee9b0133
                                                                                                                                                                                                                                                                        • Instruction ID: fef437ebad220042bde321d90f59bd0fef1e7dc8775b8a6e4f81d3cfad456068
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd2c40a7ecc9b88cbf1d242f5b64be07f02c691cd47179d78011e644ee9b0133
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09B13B6090D6C78FE791DB288857AA53BE4FF16394F4811F9C05ACB1D3ED18AC0AC782
                                                                                                                                                                                                                                                                        Function 00007FF886A0D7BE Relevance: .3, Instructions: 321COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1d13446ebbdfe4d6c72d3828f8f25791b8a518a1be387e57d1352a39def8857f
                                                                                                                                                                                                                                                                        • Instruction ID: 72bb8150f8841e20325bc1d3c0cdc852affdf6b68bf9c94b1acc153213c10876
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d13446ebbdfe4d6c72d3828f8f25791b8a518a1be387e57d1352a39def8857f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4B1E774A08A5D8FDF94EF68C895BA8B7F1FF69300F1141AAD00DE7261DA34AD81CB41
                                                                                                                                                                                                                                                                        Function 00007FF886A01AC9 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e4b20e89baa2d01656cfa89fb406a4ef19566a910abe63f07e973fe36cc708a5
                                                                                                                                                                                                                                                                        • Instruction ID: 0144999b22c2e873ec5f7c1daed7f6e8b2ffe26bac0f80bfa19d013a430c302f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e4b20e89baa2d01656cfa89fb406a4ef19566a910abe63f07e973fe36cc708a5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FCA18B70C0966A9FD7A5CB64C89A3E9BBF0FF45350F5440F9C049A72A2DA781E86CF41
                                                                                                                                                                                                                                                                        Function 00007FF886AF00D6 Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1517217248.00007FF886AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886AF0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886af0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c566d9eeead171884bf464a94ace46f2bcd9470b48b44d96191fe19a4e86e834
                                                                                                                                                                                                                                                                        • Instruction ID: 3278628495788d6a2b6f3c841268cc3dfc739f0c3c4ddbc46ff60788ebf444f8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c566d9eeead171884bf464a94ace46f2bcd9470b48b44d96191fe19a4e86e834
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F51A570B1CA084FD758DB1CD895675B7E1FF99750B0102BAE44AC3256DE25EC428792
                                                                                                                                                                                                                                                                        Function 00007FF886A0347E Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ad44d8e094b87c3d31c8804db6bf06dbb45f88853a5e0713f60d439dead04fb3
                                                                                                                                                                                                                                                                        • Instruction ID: f186d74f2adbf7c9f043ab424f338a45a7b7d0eb00c0738dea821c5b86f0b9c2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad44d8e094b87c3d31c8804db6bf06dbb45f88853a5e0713f60d439dead04fb3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51615838D09A5ACFDBA5DB68C4467ADB7B0FF15340F2001AAC00EE7291DA396C85CB42
                                                                                                                                                                                                                                                                        Function 00007FF886A0946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e9581d0d08dce9484c70d913fa6f8f328cd9a6936ae8010a350b1b9906dbe078
                                                                                                                                                                                                                                                                        • Instruction ID: 3e219c1b388ff64367ba2fc3a134d1671427fdcd5abe381d3df055628bd6f4a6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9581d0d08dce9484c70d913fa6f8f328cd9a6936ae8010a350b1b9906dbe078
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5518131918A1C8FDF58DB58D845BE9BBF1FB59310F1082AAD04DE3252DE34A985CF82
                                                                                                                                                                                                                                                                        Function 00007FF886A0E641 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 43c14a517d6f047348c8352e77b43fc9f3244784326a7ac94f8476238477e9d6
                                                                                                                                                                                                                                                                        • Instruction ID: a8ed10df783b8c87e59c112859225548dac8896952ff3a453dbec7365b8599fd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43c14a517d6f047348c8352e77b43fc9f3244784326a7ac94f8476238477e9d6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18510930A0894DCFDB98EFA8D496AFDB7B1FF59340F540469E00AE7292DB34A845CB51
                                                                                                                                                                                                                                                                        Function 00007FF886AF04DE Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1517217248.00007FF886AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886AF0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886af0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d605bd4f30b2d79e22ba60781f4852f68033d25e1a70c60ad5dd2c482b5620e0
                                                                                                                                                                                                                                                                        • Instruction ID: 76b882a484b9d335ffdd0f2d9a4808ce6af8cef3984f2b844529aac5a20f5e43
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d605bd4f30b2d79e22ba60781f4852f68033d25e1a70c60ad5dd2c482b5620e0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A41E522B0DB864FE7929B7C48AA5647FE1FF6635070941FAC089C72A3DD589C06C382
                                                                                                                                                                                                                                                                        Function 00007FF886A08579 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 49efd78275dd23abbfe56209d930a0c1c335d803816e6078c6a3d2535f0e7f23
                                                                                                                                                                                                                                                                        • Instruction ID: ba4a2c0b841921f492b3b88e37d2414bbccbb9b23f9d72045c736f927d7eafa8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49efd78275dd23abbfe56209d930a0c1c335d803816e6078c6a3d2535f0e7f23
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10515F7091891D8FDBA8EB58D495BECB7F1FB69301F5040AAD00EE7291DB74A980CF44
                                                                                                                                                                                                                                                                        Function 00007FF886A07AD7 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5ec75a191f086b7202927e97fcb5c252098cb4040c6bc26e637743cdeca7412e
                                                                                                                                                                                                                                                                        • Instruction ID: 69255abfcb22edb3a902261ba0e02b5067a1c48b78474fdd4a0e7e48677aa7d7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ec75a191f086b7202927e97fcb5c252098cb4040c6bc26e637743cdeca7412e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F41D43080D689CFD792EBA4C855AE9BBF0FF56350F0901EAD149DB1A2DA2C9845C782
                                                                                                                                                                                                                                                                        Function 00007FF886A05A1C Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b95dd56b16d7048d9948522ee8b09a70b67097accd9a405252d5d7aa69325112
                                                                                                                                                                                                                                                                        • Instruction ID: 68784dab792aec68c7b3226b53107050ec6e408b03b799da5cfcfe3a62b905b6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b95dd56b16d7048d9948522ee8b09a70b67097accd9a405252d5d7aa69325112
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9341D27180E6868FD396977889961ADBBE0FF47360F4405FDD08ACB1E2EA1D6C05C752
                                                                                                                                                                                                                                                                        Function 00007FF886A0837A Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 45a824a4249481f231e4b7cc0ac3880942bd5bddc509ba801cdad84999f61db1
                                                                                                                                                                                                                                                                        • Instruction ID: 2fea1c4beb0973c6ca3764f65b76092359e493af86cf8d5a054b0f5c86966559
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45a824a4249481f231e4b7cc0ac3880942bd5bddc509ba801cdad84999f61db1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0841D570909A1C8FDB94EBA8C495BADBBF1FF59301F4050A9D00DDB251DB399D81CB41
                                                                                                                                                                                                                                                                        Function 00007FF886A01981 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ec1d54b476b67de3a4a4c143934645cb3484d3d545da5b2c80f221567f76f0ad
                                                                                                                                                                                                                                                                        • Instruction ID: 68b414a2e47153b5dbff45b572ecc30210bb7f6a8928b72b1dc16ec1a0d3b450
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec1d54b476b67de3a4a4c143934645cb3484d3d545da5b2c80f221567f76f0ad
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53312A30C5925ACFE7699FA0C49A3F9B6B0BF06380F5014BDD04AA7291DB785E84DF15
                                                                                                                                                                                                                                                                        Function 00007FF886A04EFA Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5602541c32cd5174727cd57e6a7436c8ae6677627e6edb7412acf8df228a66df
                                                                                                                                                                                                                                                                        • Instruction ID: 7bb1c5797f566c53b4ad38f9572ec87cab89d0b75791a5690e46282318a9707b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5602541c32cd5174727cd57e6a7436c8ae6677627e6edb7412acf8df228a66df
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D21D832A0D69E8FD752EB5898625DA7BA0FF85360B0402B7D44CC7193CD289C15C792
                                                                                                                                                                                                                                                                        Function 00007FF886A07DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cd52b04d6a65975ca89c7df9fed2d9870cbaaefe130d7d6134caef6cea10633c
                                                                                                                                                                                                                                                                        • Instruction ID: 05b2db273edb122e42229dd8a919ccbc96e7f517f98800b29e6d3016e896ebe4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd52b04d6a65975ca89c7df9fed2d9870cbaaefe130d7d6134caef6cea10633c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08217170D19A5D9FEB81EBA8C88A6EDBBF1FF59350F04047AE008D7251DB389845CB41
                                                                                                                                                                                                                                                                        Function 00007FF886A0E6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 713593554dc4211203b399b912342c0d8019891f1baef36c9904fe6f7b2bac00
                                                                                                                                                                                                                                                                        • Instruction ID: 61f26060460b4ad08b3e29d515ed7b2e423b26e66f949f4242011db11cc88112
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 713593554dc4211203b399b912342c0d8019891f1baef36c9904fe6f7b2bac00
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B21163190865DCFDB48DFA8E855AFEB7B1FF59300F0505AAE00AE7292CB74A950CB51
                                                                                                                                                                                                                                                                        Function 00007FF886A0D210 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 95dd5711cd03ea30611e650e255281fa4a1725cdc9d3f29369a4bd92297ec34b
                                                                                                                                                                                                                                                                        • Instruction ID: 55d4dd2207b69c6942e20a2f57a7c0915c55444a9c65a0ecede057a607a917e3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95dd5711cd03ea30611e650e255281fa4a1725cdc9d3f29369a4bd92297ec34b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A211631D1890DDFDB94EBA4D8566EDBBB1FF69340F5000B9D009D7292DB38A881CB41
                                                                                                                                                                                                                                                                        Function 00007FF886A00C1D Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0595c7a051131f08a588cc4fb3c3059508815e9bbc9703505d7efa5beefe3e35
                                                                                                                                                                                                                                                                        • Instruction ID: 16ca9a2d090073be2f081aef13b91d0ec3aafe0ed3eaeb73d70904bed22a06da
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0595c7a051131f08a588cc4fb3c3059508815e9bbc9703505d7efa5beefe3e35
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8121B66190E6C6DFD756A774885A3A87B90BF51390F4804FFC0999B1D3EA286C08C753
                                                                                                                                                                                                                                                                        Function 00007FF886A01E23 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2b9dcda30ce0521656dc94bf3996de89349b69ef6fe12b4fb29e2bf4cd547d97
                                                                                                                                                                                                                                                                        • Instruction ID: 3484d993611ddbdc018c7be7507d56b4247e0258e973814de78d68e0acbb833b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b9dcda30ce0521656dc94bf3996de89349b69ef6fe12b4fb29e2bf4cd547d97
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8312670D096298FEBA5DB64888A7E9B7F0BF19340F4441E9E04CD3192DA785EC5CF41
                                                                                                                                                                                                                                                                        Function 00007FF886A0337D Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e39a2fae891c862460c4f9cb78383dad0e231b205b1bbe3ff9e7c5f0764ac3ae
                                                                                                                                                                                                                                                                        • Instruction ID: a1faca8aa5b6a652d0b8a412a110d8deb400dd2bbfcb44f6f212aa1918bb757d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e39a2fae891c862460c4f9cb78383dad0e231b205b1bbe3ff9e7c5f0764ac3ae
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E219030909B9A9FE7A6DB6484863A9B7F1FF46360F0005FAC04DD72A1DE791D84CB42
                                                                                                                                                                                                                                                                        Function 00007FF886A0D132 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2179bab006fd3c3469012c1c2814eca294b946382e0879a03c5b4d540ae5153d
                                                                                                                                                                                                                                                                        • Instruction ID: 3773946f3bc6c9e1b596302d0520751259390bcbd7553aa87dffd204ef5b465d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2179bab006fd3c3469012c1c2814eca294b946382e0879a03c5b4d540ae5153d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70119D31C1DA899FDB92AB74C8266E8BBF0FF5A350F4400BAD049DB192CE285845C742
                                                                                                                                                                                                                                                                        Function 00007FF886A07CB4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: aff606dd84e361ec378194b6890b8de42626337bde57a6d5f8001b5b356d6879
                                                                                                                                                                                                                                                                        • Instruction ID: 67174e250c47a256ed9659acd29950e560bcc1cad9db5f5ceca2c87dc19614d5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aff606dd84e361ec378194b6890b8de42626337bde57a6d5f8001b5b356d6879
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64118670909A8A9FD7519BB8844A4FDFFF0FF16321B5402EED44997162DB389842CB51
                                                                                                                                                                                                                                                                        Function 00007FF886A079C5 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b0b94ff2c32488ea0ef247dafb26598343936e0ecd098ade67cead92a198e9e8
                                                                                                                                                                                                                                                                        • Instruction ID: ed04c468223d52f1d4891d4935fa5e7b7a4031405876327c17ea3a5197f1d67d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0b94ff2c32488ea0ef247dafb26598343936e0ecd098ade67cead92a198e9e8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0011E530A55A0D9FD790EB98984B5FDB7E4FF81361F8001B6D008D7191EE681C428282
                                                                                                                                                                                                                                                                        Function 00007FF886A0483D Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8702cb892de195ebf90ad8cd516615033131cc0f167a7a4be562c08c1b58d56f
                                                                                                                                                                                                                                                                        • Instruction ID: 44e9c03be6e9824d67fc11d1eaf993b84be44a8ee5159d12ae78ca57f3d9dc30
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8702cb892de195ebf90ad8cd516615033131cc0f167a7a4be562c08c1b58d56f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A11E5229196DACFE751BF6898A52F93B90FF45754F040576E488C7093ED289849C2C3
                                                                                                                                                                                                                                                                        Function 00007FF886A084C0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 007998ff835d5ba869f185e0ca997ed86695b58ad88bf546d900f190e9ad724d
                                                                                                                                                                                                                                                                        • Instruction ID: 92c442e8e751e4cd16d747b9aff02f062cf3e3c16fbea3ea0bbb268955b5c2f7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 007998ff835d5ba869f185e0ca997ed86695b58ad88bf546d900f190e9ad724d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E119930A0991CCFDF94EB58D495AECBBF0FF6A311F4010A9E00DE7291DA39A980CB05
                                                                                                                                                                                                                                                                        Function 00007FF886A03B7D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8a9b323fa418f05fa852c9d28ba5ea4499b629c1ae373ba712be78bff0468ab0
                                                                                                                                                                                                                                                                        • Instruction ID: d9db70d95b9201452013e023460eada22166eb76286cad19448d3041a39b8ec2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a9b323fa418f05fa852c9d28ba5ea4499b629c1ae373ba712be78bff0468ab0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9111CB31D0CA4A9FDB50ABA4C8062EDBBB0FF46350F4402BAD009E7193DE6C6958CB42
                                                                                                                                                                                                                                                                        Function 00007FF886A0523E Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2c99545699383909f37b2d6570138c51b0fa584f547e735fda0b703de6afa7d1
                                                                                                                                                                                                                                                                        • Instruction ID: 237b52ffbc45d56c69649100f4dc3f212d6055bc5558807e38996644688df56f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c99545699383909f37b2d6570138c51b0fa584f547e735fda0b703de6afa7d1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A012421608E894FDB8AEB2C8551AB07BE1FF9921030900EAD00DC7293CE19EC05C742
                                                                                                                                                                                                                                                                        Function 00007FF886A01EA2 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 83636ead1695ca26ea1e2a8750ed5c910a55c7625d6e6af73bb5eb038c926f45
                                                                                                                                                                                                                                                                        • Instruction ID: dc6be2b9199ce96ea712977a4c55ec1ed1e9d3d5011795dfc1a130b843191091
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83636ead1695ca26ea1e2a8750ed5c910a55c7625d6e6af73bb5eb038c926f45
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE111670C0862ACFEBA5DA54884A7E9B7F5BF54351F0041F9D04C97291DA785EC5CB81
                                                                                                                                                                                                                                                                        Function 00007FF886A00C89 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 75ac80902559776e9083e120f1d2ab6486a38bad8d2cd38c8c6fc5d5e3063be3
                                                                                                                                                                                                                                                                        • Instruction ID: 70e433b31aa0de3f2239f804144c3816f1fc1c410925b4f5ce76d7521ddbd2b8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75ac80902559776e9083e120f1d2ab6486a38bad8d2cd38c8c6fc5d5e3063be3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC01F57180AB4A8FD7A9EB7088563EA77D0FF81350F4100BEC00AEB1E1DA781C04CA82
                                                                                                                                                                                                                                                                        Function 00007FF886A01E7E Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2034f49a30de3911efc0945afffb11ab48f8b6e39604a6c6b36d8d8a1e02687b
                                                                                                                                                                                                                                                                        • Instruction ID: 42bd3ddc730ed88736e7ddf06a88d24693a315e7fc7ed2fea1e16af6519a73f5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2034f49a30de3911efc0945afffb11ab48f8b6e39604a6c6b36d8d8a1e02687b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2015B70909A29DFEBA2DB68884A6EABBF4FF09350F4400E5D40CD3152DA385E82CB41
                                                                                                                                                                                                                                                                        Function 00007FF886A01EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 117b01e7f2320115f1e64b609a4cfbe3e345b1054f62efa1c8fa413bd58a6924
                                                                                                                                                                                                                                                                        • Instruction ID: a050677545874cc29f9ab728191bb7489ebcb8d23312525e805e07b876d68474
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 117b01e7f2320115f1e64b609a4cfbe3e345b1054f62efa1c8fa413bd58a6924
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF118670D096298FEBA5DB648885BE9B7F4BF19340F4041E6904DE3251DA785EC5CF41
                                                                                                                                                                                                                                                                        Function 00007FF886A01B9C Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a99a732ff7bae0dc5462ee1cb1164cd20661fb74db84a9d1fb5af5e8da293f0d
                                                                                                                                                                                                                                                                        • Instruction ID: f8721c9fd6378a82308aeed9f96a0d2fa5cd9f2a40f411fb91eae4b62f440922
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a99a732ff7bae0dc5462ee1cb1164cd20661fb74db84a9d1fb5af5e8da293f0d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B511837490462D8FCBA9EB28C895BD9B7F1FF69301F1441E9900DE72A1CAB49E81CF40
                                                                                                                                                                                                                                                                        Function 00007FF886A05260 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ed5286c3894bb644b697de07299e23b8ef211fa8a257f995011d8868775c7651
                                                                                                                                                                                                                                                                        • Instruction ID: c9c49645e718f254556f16149da1b944689a2fd8974563d0490b1cd1490edd65
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed5286c3894bb644b697de07299e23b8ef211fa8a257f995011d8868775c7651
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1F06D31614D098F8A99EB2C8490AB5B3E2FF9831034901A9E40EC3296DE29EC41C781
                                                                                                                                                                                                                                                                        Function 00007FF886A064B9 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e456b820747199eafed9c5945d223df51a60f7369c123f77b64b78fd432c5ace
                                                                                                                                                                                                                                                                        • Instruction ID: d6166d51204013dd65e4e2fedae1edd6b8c4b29f7ce26fe441f535095c083a59
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e456b820747199eafed9c5945d223df51a60f7369c123f77b64b78fd432c5ace
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25F01D3462854E8FDB85EF14D4526E973A1FF48354F401974E41DC3196CE36BC11C741
                                                                                                                                                                                                                                                                        Function 00007FF886A018A4 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f5a558d03b614b90c322f0f9433024d10e22bd7ac934ac5209ba467706442ea7
                                                                                                                                                                                                                                                                        • Instruction ID: 239b4b49390730b09a2cd3cfc6943144c20c99920ffc8872994e5abf9525b78a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5a558d03b614b90c322f0f9433024d10e22bd7ac934ac5209ba467706442ea7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A801FB30C09669CFD7599BA0C4957E9B2B1BF05341F5004FDD00EA7692CB795E84DF05
                                                                                                                                                                                                                                                                        Function 00007FF886A01CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6e4f4597cd0c839378a099b4e51bc85145fa8a5761195cad7fc542f3654780ca
                                                                                                                                                                                                                                                                        • Instruction ID: 83071eb19f94c81e998fb09715542fbeb9343ae2821ea2a5e0f3b684440f5d49
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e4f4597cd0c839378a099b4e51bc85145fa8a5761195cad7fc542f3654780ca
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20F08730C1A25AAFD7219B7888422ECB7F0BF06740F4400F8D08A93093EA7C6D45CA92
                                                                                                                                                                                                                                                                        Function 00007FF886A032C6 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e61455b9bce2a8bf22bd4c5fbab09a6266c0deb6d0f5a89e2ff61c0f8f4ec135
                                                                                                                                                                                                                                                                        • Instruction ID: 0d562cc4ed342ae211d28e6bf7d3e18c3f3674b92b446c843b0b34637b1c86c5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e61455b9bce2a8bf22bd4c5fbab09a6266c0deb6d0f5a89e2ff61c0f8f4ec135
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1BF05830C0860E9FDB40EBA4804A2EEFBF1EF59311F0041BAC008A3091CA7C0984CB81
                                                                                                                                                                                                                                                                        Function 00007FF886A01C27 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5300cc5057fa3ee9237f4046eab57e3a1c0a8abd1953f3e0c747ce5c9c184e1e
                                                                                                                                                                                                                                                                        • Instruction ID: a57cf9f342dffd7bfd2a5fd628dca7bd4eece80169ec93ff4efc79a62d7a8bfb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5300cc5057fa3ee9237f4046eab57e3a1c0a8abd1953f3e0c747ce5c9c184e1e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60F015718092699FD7A59B60C8963EDBBF1AF42340F5480B9D04C672A2CA786EC8CB41
                                                                                                                                                                                                                                                                        Function 00007FF886A01C77 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 92ead2d449169934f26e98c3788b7e4064ff3632b155ce48f60830106f69de1b
                                                                                                                                                                                                                                                                        • Instruction ID: cd270f26cc58f75335462df3a8dbb11f3e867927d7f93551d61e9e13b47368c8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92ead2d449169934f26e98c3788b7e4064ff3632b155ce48f60830106f69de1b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7FF08530809269CFD7649B61C8463ECB7F0AF41300F8480F8D009672A2CA786E86CF10
                                                                                                                                                                                                                                                                        Function 00007FF886A03433 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 306e83b381e26e7b78a9296b64170d4aa941551310e5dbc1e4ecc867c1a5d57d
                                                                                                                                                                                                                                                                        • Instruction ID: 2cf9723e0ac8ee21f7bab4d0d7ca7cb922d5af54384aca20ba3c1ec9a49978d6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 306e83b381e26e7b78a9296b64170d4aa941551310e5dbc1e4ecc867c1a5d57d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7EF01530A097198FCB99DB28C485B98B3B2FF56310F1040E9C04DD7261CA399C85CB42
                                                                                                                                                                                                                                                                        Function 00007FF886A01DEA Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 61895434cad90430bf087f6eeee777f67d6d816c18db8a630ac97f4de6c023e0
                                                                                                                                                                                                                                                                        • Instruction ID: 7d04a5067d9e218b3e1dd3f9025511530bf2fa86a503a7912915e3563b639c01
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61895434cad90430bf087f6eeee777f67d6d816c18db8a630ac97f4de6c023e0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0E04F70945219CFC755DB74C8856EBFBF0BF46304F1545A8C045A7191DB789C82CB51
                                                                                                                                                                                                                                                                        Function 00007FF886A0192E Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9fbf428a5a82f5e7811dc0695fd628705e03f1de20bbaa3b5b9a42e730902fd6
                                                                                                                                                                                                                                                                        • Instruction ID: 6dcf4ab1b18e4aa4d7bc713cb4deb7341730eab250fbb7ae376e1a5b0f78dc47
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fbf428a5a82f5e7811dc0695fd628705e03f1de20bbaa3b5b9a42e730902fd6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7CE01A309196598FD796EB24C456799B7A1FF49350F5000FD9009DB2A1CE385E81CB05
                                                                                                                                                                                                                                                                        Function 00007FF886A07AA4 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 559d579a5a688d37cc850d1667dd7b9f724698d7b851d301b528f8ec77c0ba1f
                                                                                                                                                                                                                                                                        • Instruction ID: 80d3f9616903030ffcb162a5be5381b66d4bf87e635e9a59ffd3bb3aebf0c944
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 559d579a5a688d37cc850d1667dd7b9f724698d7b851d301b528f8ec77c0ba1f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39E08630829644EFD755DF68D88A5DC77F0FB16300F04006AE00497252DA345881CBC2
                                                                                                                                                                                                                                                                        Function 00007FF886A01F6A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4cf81c06b2f10980689cb307e5583e7b8fd3194059f1c25182f4f5502d924035
                                                                                                                                                                                                                                                                        • Instruction ID: 99fa6282d4f4c03f1b6eb1b0b9fa3393e28594c9bb15a8b389396d6eec057c67
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4cf81c06b2f10980689cb307e5583e7b8fd3194059f1c25182f4f5502d924035
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03D0223040AA85BFC3515770885709EBBF0AF07200F8500E8E0048B062D17C9C42C741
                                                                                                                                                                                                                                                                        Function 00007FF886A01F8D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0d42caa6178975b6817145e4fd2fd6cd4bc68273d9c7e4d07dcfcb4e0d374f87
                                                                                                                                                                                                                                                                        • Instruction ID: c9d73f7e3bc9826fbd8409a630d909775684e6e20c79e62d176b79ca9a0f430a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d42caa6178975b6817145e4fd2fd6cd4bc68273d9c7e4d07dcfcb4e0d374f87
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFD0127004A5C56FD382177488565ABBBE05F02254F8D14D4E4444B0A3E5AC1C46C352
                                                                                                                                                                                                                                                                        Function 00007FF886A06E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1516900410.00007FF886A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff886a00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                        • Instruction ID: 77a5ccfd695d8cd5a6961ce53c6de511b89229ba2f8f68969b48e7118541baef
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0A00202ECE46E419444649D78435D9B258D7851B5BC5B572ED0C8414AD88E1DD64286

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 00007FF886C110E2 Relevance: 4.5, Strings: 3, Instructions: 796COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: 0-_$1-_^$3-_^
                                                                                                                                                                                                                                                                        • API String ID: 0-2857837591
                                                                                                                                                                                                                                                                        • Opcode ID: c6b35df2c8795e82fb165d8699afc8d1dd028c27a7a7a557769b5629b0903a95
                                                                                                                                                                                                                                                                        • Instruction ID: 60d523def2b380b4725529ba640403f3dcb9766a0aa739e991cb38f3653206c2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c6b35df2c8795e82fb165d8699afc8d1dd028c27a7a7a557769b5629b0903a95
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0442F767D0C6974EF342A6BCE8665E57BA1EF126A8B080176C0CDCB493FD1D69028691
                                                                                                                                                                                                                                                                        Function 00007FF886C0E73C Relevance: 2.4, Strings: 1, Instructions: 1191COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: 8L"
                                                                                                                                                                                                                                                                        • API String ID: 0-3135249477
                                                                                                                                                                                                                                                                        • Opcode ID: 7b96e4139e61472d189492f7e32816152fb2a11f13d93f665ef90760311425ec
                                                                                                                                                                                                                                                                        • Instruction ID: 737bb9d1f51a01260a99f49cae8cfba1a585ff8d70abb9d97ab24e228a581e88
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b96e4139e61472d189492f7e32816152fb2a11f13d93f665ef90760311425ec
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74824C31A18A4A8FEB94EB2CD459BB577D2FF99340F1445BAD04EC72A2CE24EC45C742
                                                                                                                                                                                                                                                                        Function 00007FF886C0B0B9 Relevance: 2.2, Strings: 1, Instructions: 997COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: t-_H
                                                                                                                                                                                                                                                                        • API String ID: 0-2963846493
                                                                                                                                                                                                                                                                        • Opcode ID: 1a4169535588d69fff69763a5b6595670f1dbe9f998ffad076c41e6a377419d5
                                                                                                                                                                                                                                                                        • Instruction ID: 3e479b222c17e47a686a441172d52e5e6597b2ef60bfee3350128b9d01b1977c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a4169535588d69fff69763a5b6595670f1dbe9f998ffad076c41e6a377419d5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3572A730A1C95A4FDB59EB68C4A56B9BBF2FF54340F5441B9C04EC7297CE29AC42CB42
                                                                                                                                                                                                                                                                        Function 00007FF886A0900E Relevance: 2.0, Strings: 1, Instructions: 714COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: |R_H
                                                                                                                                                                                                                                                                        • API String ID: 0-716288735
                                                                                                                                                                                                                                                                        • Opcode ID: 0552352293259a49d84fac2adbe5a2051daf7a942668f40b6253a30d6a5774c4
                                                                                                                                                                                                                                                                        • Instruction ID: c63a189e90a91c5fdbbbf621f2056a76614ce6620d79782818754d5f4c5699fd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0552352293259a49d84fac2adbe5a2051daf7a942668f40b6253a30d6a5774c4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D542F27180D7C68FE3A68B2884566A53BE0FF96354F0815FDC48D9B1E3DA286C0AC753
                                                                                                                                                                                                                                                                        Function 00007FF8869F0D42 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: RI[
                                                                                                                                                                                                                                                                        • API String ID: 0-3445116959
                                                                                                                                                                                                                                                                        • Opcode ID: caeaacf976c373fa013066ab56a96fd3a291b29e4bf2a8237fdec89f758b0ef4
                                                                                                                                                                                                                                                                        • Instruction ID: c7cdf85ee1b0f556dc6a18df9adffefb4a2305b3b8bab5dfd8e47844f8f7ce1b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: caeaacf976c373fa013066ab56a96fd3a291b29e4bf2a8237fdec89f758b0ef4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5B17D709086598FDB99DF58D8A97F9B7B1FF49300F1005EED04E972D1CA396986CB01
                                                                                                                                                                                                                                                                        Function 00007FF886A0B5E7 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0276671cb38ba98374da239297358dfee2e6a25eb7765602209339660ce1457d
                                                                                                                                                                                                                                                                        • Instruction ID: ea2c673272d3e9e5de1a7cda3e644addbce4e36e2fd7cc0184b9b93421b8e9f0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0276671cb38ba98374da239297358dfee2e6a25eb7765602209339660ce1457d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8AB10770D0861ACFDBA8DB68D896BA8B7F1FF58341F1041A9D00DA7292DA356A85CF41
                                                                                                                                                                                                                                                                        Function 00007FF886A0B620 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 22342d6c712eba02e766921f28cc0c467384bc9b99734467b22300e874ad37cb
                                                                                                                                                                                                                                                                        • Instruction ID: 68b96ac8e6ad7fbf2cbb3127f109c77363e11960ea959a228b7a5a0d5fb6f865
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22342d6c712eba02e766921f28cc0c467384bc9b99734467b22300e874ad37cb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0581F574D08A198FDBA8DB58D856BACB7F1FF58341F0001A9D04EE7292DA35AE85CF41
                                                                                                                                                                                                                                                                        Function 00007FF8869F4E6B Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 77c0895a62a1e64cfcb553fa171e6bb05dc77c7f6d878ddf82ff4f217b05297c
                                                                                                                                                                                                                                                                        • Instruction ID: 33de945a14ea28ef939d09b4ae69242cc2becdb6581a072295c218a164fcccc7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77c0895a62a1e64cfcb553fa171e6bb05dc77c7f6d878ddf82ff4f217b05297c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00418C31D0969A8FD799DF68CCA96FDBBB0FF45240F0505B9C049A72E2CA396C45CB80
                                                                                                                                                                                                                                                                        Function 00007FF886C01A1C Relevance: 6.1, Strings: 4, Instructions: 1065COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: H$H|/$_$!
                                                                                                                                                                                                                                                                        • API String ID: 0-2458546907
                                                                                                                                                                                                                                                                        • Opcode ID: 413d20cb5931b5e210cbdaceb4fd996a2e78f7ec6a1841df9d85241518defd17
                                                                                                                                                                                                                                                                        • Instruction ID: ffd5b5f515550bbb1e3091f9f06bb3a22213590c58ca4a0060dae92fa2407aeb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 413d20cb5931b5e210cbdaceb4fd996a2e78f7ec6a1841df9d85241518defd17
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C872D730A1CA4A8FE759EBA8C45AB79B7E2FF54744F1441BDC04EC7192DE29AC42C742
                                                                                                                                                                                                                                                                        Function 00007FF886C003BD Relevance: 2.4, Strings: 1, Instructions: 1128COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: @._^
                                                                                                                                                                                                                                                                        • API String ID: 0-963891619
                                                                                                                                                                                                                                                                        • Opcode ID: 859234b026992835e360fc13d77fa45d06b289454561f6835f61d4cd24830cfe
                                                                                                                                                                                                                                                                        • Instruction ID: d2a4821f5adaded2185d054ae83cb6d912e7c7b67dd24961c4746b40c00b0a06
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 859234b026992835e360fc13d77fa45d06b289454561f6835f61d4cd24830cfe
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB72C531A1CA868FE794DB6CD4556BAB7E1FF98340F1505BAD08DC7292DE28EC42C742
                                                                                                                                                                                                                                                                        Function 00007FF886A03B18 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: 85b9885f2ad5292dc36a57235107eaf9dfd6badc804a59a7060ce322313250c4
                                                                                                                                                                                                                                                                        • Instruction ID: 2da1665246b6eb740400c1576084c7129bbe33e9d57f52c5cdba672220d3f488
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85b9885f2ad5292dc36a57235107eaf9dfd6badc804a59a7060ce322313250c4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0CD1E130A1CB468FD329EB1894825B6B3E0FF95754B14497ED08AC7696DE25FC42CB82
                                                                                                                                                                                                                                                                        Function 00007FF886A0447A Relevance: 1.7, Strings: 1, Instructions: 408COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: 4d1992a3a157e7dede8804e7f55eadcbce733be4f6387628f2596e36b4d3ef34
                                                                                                                                                                                                                                                                        • Instruction ID: b137f26137ca90dc443dcff37d8b13032cfedda656344c8a7c994447c8ce4a99
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d1992a3a157e7dede8804e7f55eadcbce733be4f6387628f2596e36b4d3ef34
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01C10030A1CB86CFD759DB188446675B7E1FF95780B1405BED08AC7296DE25FC42CB82
                                                                                                                                                                                                                                                                        Function 00007FF886C10D4F Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: tB_H
                                                                                                                                                                                                                                                                        • API String ID: 0-4079171904
                                                                                                                                                                                                                                                                        • Opcode ID: 7526a836bebdbee1d14b77e42b6d290e34511bb1a17830720fb748cc520c317e
                                                                                                                                                                                                                                                                        • Instruction ID: 7998b160cc59c93d5e3bba3bab5acf7dcc431c8221ec85db0d5a12bbb35df963
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7526a836bebdbee1d14b77e42b6d290e34511bb1a17830720fb748cc520c317e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24A1B612E1C6D64FE756667CA4A56E53BA1FF42398B0801B7D0CDCF193ED0CAD468392
                                                                                                                                                                                                                                                                        Function 00007FF886C0FEFA Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: D-_^
                                                                                                                                                                                                                                                                        • API String ID: 0-3025664173
                                                                                                                                                                                                                                                                        • Opcode ID: 4ec50d047af9853c0c09f9c9dcfa06d4e5bfabd3c01ed2dfd13837d0d227f126
                                                                                                                                                                                                                                                                        • Instruction ID: ec57720c9fb900b7a42625fc9a29e07675bdb0f4520967441da60479b00950b5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ec50d047af9853c0c09f9c9dcfa06d4e5bfabd3c01ed2dfd13837d0d227f126
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0A1D562A1C6974FF346B6BCE8A65E53BD0FF05658B0801B6D0CDCF193ED08A842C792
                                                                                                                                                                                                                                                                        Function 00007FF886A003C5 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: 38f84ad8fbf91c1383b6f14f3c70e420a41fd014dde4948d7cc01dc9e8d7b002
                                                                                                                                                                                                                                                                        • Instruction ID: a07b38989d1435b8430b5efcdc4244cf1c5f3b22c3351dc820c35c946cfc29bb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38f84ad8fbf91c1383b6f14f3c70e420a41fd014dde4948d7cc01dc9e8d7b002
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2B1BB30A1CB098BD769DB18D482575B3E2FF98350F144A7DD08AC3696DA35FC82CB82
                                                                                                                                                                                                                                                                        Function 00007FF886A05B70 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: b
                                                                                                                                                                                                                                                                        • API String ID: 0-231400818
                                                                                                                                                                                                                                                                        • Opcode ID: b1a450bb0b0d90c4ace70fa812fbd2bc8d8f17a019326ffa562898767764ba1e
                                                                                                                                                                                                                                                                        • Instruction ID: 84c549a8ae0defc5f2c435b2119992115a802974b6e5d61d24ea3640f383ceba
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1a450bb0b0d90c4ace70fa812fbd2bc8d8f17a019326ffa562898767764ba1e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE711322F0DD1BCFF2A6A66C246E27523C1FFA96D1B6401B7C44DC7296EC19EC068342
                                                                                                                                                                                                                                                                        Function 00007FF8869FA0A0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: 'T_L
                                                                                                                                                                                                                                                                        • API String ID: 0-895320791
                                                                                                                                                                                                                                                                        • Opcode ID: e84409b53986f9f74d6fe643f322334367b78025e64ff1ef2d9b67722d869de1
                                                                                                                                                                                                                                                                        • Instruction ID: 90484469b8d5703b49a1e863ad1b2ace11aa06be9bfc394526307fd9162810b3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e84409b53986f9f74d6fe643f322334367b78025e64ff1ef2d9b67722d869de1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F710721F1C9494FE798EB2C945A67977D2FF99250B4401BED44EC72E3DD28EC028382
                                                                                                                                                                                                                                                                        Function 00007FF886A0C920 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: ,I_H
                                                                                                                                                                                                                                                                        • API String ID: 0-4056936940
                                                                                                                                                                                                                                                                        • Opcode ID: fa2ce35a9205f251792e70287f9d174707cea16aba7a7b418690a7f22bfa190d
                                                                                                                                                                                                                                                                        • Instruction ID: 61a24c81c39dbe4e5fb896eba54165c185d92c7e4c622500330a95365ad95997
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fa2ce35a9205f251792e70287f9d174707cea16aba7a7b418690a7f22bfa190d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D71A231A5890D8FEB94EF6CD85AAB977E1FF98345F04017AD40ED7291DE28AC42C781
                                                                                                                                                                                                                                                                        Function 00007FF886A0C925 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: LI_H
                                                                                                                                                                                                                                                                        • API String ID: 0-3404269295
                                                                                                                                                                                                                                                                        • Opcode ID: ce11a0b99f9943066b0f5bd1881aeb930becdce8f594f9223ea2962df1186723
                                                                                                                                                                                                                                                                        • Instruction ID: 56e6df6334ff44cdecf9a838c43128e302559c0e044158699b7bf78b926abc5a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ce11a0b99f9943066b0f5bd1881aeb930becdce8f594f9223ea2962df1186723
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF610B30B189198FDB98EB5CD899BB977E1FF58751B5100BAE04EE72A1DE24EC41C740
                                                                                                                                                                                                                                                                        Function 00007FF8869FD0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: ^N_^
                                                                                                                                                                                                                                                                        • API String ID: 0-3244440111
                                                                                                                                                                                                                                                                        • Opcode ID: 877aaa9f05f9f897e9ca14e0ff16539366491aac1bf5a52565fd9c1a5717e02b
                                                                                                                                                                                                                                                                        • Instruction ID: a134158de115cd2ef670b5e3e1a78f3fa9b79ae1b461f7aff0236575ea7583f9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 877aaa9f05f9f897e9ca14e0ff16539366491aac1bf5a52565fd9c1a5717e02b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0519622A1C7924FD343A7BCA8652D93BA0EF4267574941F7C1C9CF0A3ED1C2846C7A6
                                                                                                                                                                                                                                                                        Function 00007FF886A06E60 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: Xy/
                                                                                                                                                                                                                                                                        • API String ID: 0-700447796
                                                                                                                                                                                                                                                                        • Opcode ID: 61e0ab5962fa3ac72c17daba05100fdbf785b40631b9309bcab646703be5857d
                                                                                                                                                                                                                                                                        • Instruction ID: b355b0d70743c2a1b3bbe08b342bc8db4fbb4033551567afeb238b087e8f83be
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61e0ab5962fa3ac72c17daba05100fdbf785b40631b9309bcab646703be5857d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D31C53190CB868FD744EB38885AA65BBE5FF96350F0406BAD489C71A2DE24A945C743
                                                                                                                                                                                                                                                                        Function 00007FF8869F9E95 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: +%
                                                                                                                                                                                                                                                                        • API String ID: 0-3645226418
                                                                                                                                                                                                                                                                        • Opcode ID: 862a4e8bef26b6957b3c8f0de8616a1d94abc0b5279b93bb2ede4168e0024ee2
                                                                                                                                                                                                                                                                        • Instruction ID: 39953318909511512e9f183aae7a086a41349fa3d85d1dc0934e2b4ec92dd87c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 862a4e8bef26b6957b3c8f0de8616a1d94abc0b5279b93bb2ede4168e0024ee2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0F08211E0EEDA0FD656922C6C691B82BC1FF951A074E01B7C44DC72D7ED4D4C468382
                                                                                                                                                                                                                                                                        Function 00007FF886A2C630 Relevance: .8, Instructions: 770COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 39738cbecb4121743dbc057c349262bcd8ad2274f4ca2efccd596593f0564f22
                                                                                                                                                                                                                                                                        • Instruction ID: 8b496bc027715eb261532e81e483302836c6597587c0e4e06207689c6bf0d6f7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39738cbecb4121743dbc057c349262bcd8ad2274f4ca2efccd596593f0564f22
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6042A461A1D7874FE366A77858667B97BE1EF8A250F0404FED4CACB1E3DD2858028347
                                                                                                                                                                                                                                                                        Function 00007FF8869FCFC8 Relevance: .7, Instructions: 695COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e9ca9ee18793c2770da8db88a946dfc1e536e03857067fde8918838823bd36b3
                                                                                                                                                                                                                                                                        • Instruction ID: 96ad30797689ff0a727152b87011f7ec3885dd296c89f43eb70111abacb0b981
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9ca9ee18793c2770da8db88a946dfc1e536e03857067fde8918838823bd36b3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2122E130A1C6868FE759CA2C849627A77E1FF8A740F14857DD5CAC7293DA28EC06C743
                                                                                                                                                                                                                                                                        Function 00007FF886C04970 Relevance: .7, Instructions: 659COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1a6e324cc36731bf79b2305d59037decaddd4191d3a190215f2e430734b8e2b0
                                                                                                                                                                                                                                                                        • Instruction ID: 2dbee257b0908159ac8f536fabe5f737e699e0e5a4f27acb9337e6e17e5b6dd8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a6e324cc36731bf79b2305d59037decaddd4191d3a190215f2e430734b8e2b0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B123660A1CE8B4FE79D9B6C94656B977D2FFA8780B0004BDD54EC7196DE28FC01C262
                                                                                                                                                                                                                                                                        Function 00007FF8869FDE20 Relevance: .5, Instructions: 533COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 37f8edc797d40ccfe2967091ae62f6b01dd412cff3beac2e0fdb7a985ec5cb51
                                                                                                                                                                                                                                                                        • Instruction ID: 9be7ddc28c793c61949de1d4c920e49f1f3d9b69b36a2202dcd9c17a60232787
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37f8edc797d40ccfe2967091ae62f6b01dd412cff3beac2e0fdb7a985ec5cb51
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3FE11831A1CA864FE359EB2C98596797BE1FF99750B0501BED08EC71D3DE18AC06C742
                                                                                                                                                                                                                                                                        Function 00007FF886A071ED Relevance: .5, Instructions: 486COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2c3cb0d3001e885233a8c11b2e810f144d0e0d47d1dbfc4d0b6e0e123046b2e3
                                                                                                                                                                                                                                                                        • Instruction ID: fb2095a8fb940e7f6991e7aa4ff6eabaf8921c0f0bc6e71e673b342c6d908949
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c3cb0d3001e885233a8c11b2e810f144d0e0d47d1dbfc4d0b6e0e123046b2e3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2F1A270A1CB8A8FE754EB2884566A9B7E2FFA8340F54457DD48DC7292DE34E842C743
                                                                                                                                                                                                                                                                        Function 00007FF886C0C8B5 Relevance: .5, Instructions: 451COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a5320fdd1263754bb2a0aeab6915b5358403e0838975500b483fd879d82fe986
                                                                                                                                                                                                                                                                        • Instruction ID: 928131229582f1d8184fa97e9e9fcfe7bd9bf8e34b47a2361fee0d9d6a5d475b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5320fdd1263754bb2a0aeab6915b5358403e0838975500b483fd879d82fe986
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03E11B30A18A4D8FDF88EF18C495BA977E2FFA8754F150169E40DD7296CA35EC42CB81
                                                                                                                                                                                                                                                                        Function 00007FF886A01DB2 Relevance: .4, Instructions: 444COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6023bd4a2c84854cdfdcd183ab3898618d8910bce749485513b6f604e4d89473
                                                                                                                                                                                                                                                                        • Instruction ID: 7ec8ecdc4b079abb10d4500b3c4cf9fea12d0af8d517e0c0e60fb43912159438
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6023bd4a2c84854cdfdcd183ab3898618d8910bce749485513b6f604e4d89473
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38F1827061CB858FD759DB28C4926AAB7E1FF99340F04457DE48AC7292DA34EC45CB82
                                                                                                                                                                                                                                                                        Function 00007FF886A0C9A0 Relevance: .4, Instructions: 435COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: da958d12e9a6cd8cc27fb89ac2fc9b89d0d3261832468c302e4d64094d525ef6
                                                                                                                                                                                                                                                                        • Instruction ID: 23e5d21ea07bebfbbb4815b374d6a35dfec2381919b2747f0f8f36f6fa16a4bf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: da958d12e9a6cd8cc27fb89ac2fc9b89d0d3261832468c302e4d64094d525ef6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DDE1CF30A1CA458FEBA9EB2C845A77977E1FF99350F14047DE18EC7292DE28AC41C742
                                                                                                                                                                                                                                                                        Function 00007FF8869FD9E9 Relevance: .4, Instructions: 433COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: db64547bc8d0bd5e3bd265ef5ff49e4603a461e040b84e16f0e6cd042e98e7a7
                                                                                                                                                                                                                                                                        • Instruction ID: bc1cda07cd154a2d030faa4b3a10f0044e492022d3927b83146894b2e4512abb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db64547bc8d0bd5e3bd265ef5ff49e4603a461e040b84e16f0e6cd042e98e7a7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57C1163160CB898FDB54EB18D8496A5B7E1FFA6350F05027ED04DC7292DE26EC4AC782
                                                                                                                                                                                                                                                                        Function 00007FF886A033B8 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c9af8091079caba4fee3fd81da9fb5f3a6df1854035b28e4a2e8338f64742feb
                                                                                                                                                                                                                                                                        • Instruction ID: 7559953a4bfd76cac7805f10a1c2026e8c3d4852c9d744e29395418d6dfd3a42
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9af8091079caba4fee3fd81da9fb5f3a6df1854035b28e4a2e8338f64742feb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7FC1E726D0DBD68FE746ABA868A61F97BE0FF55754B0800B7C088CF193EC285D45C392
                                                                                                                                                                                                                                                                        Function 00007FF886A0C9BD Relevance: .4, Instructions: 378COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ca4a1f56efa4637ff33faa20e93829b44f58688524ed6ea84469cf6259fdc180
                                                                                                                                                                                                                                                                        • Instruction ID: ce4eed919e906aad21f51f0a5af0737972986fd3208e85e96f19bb91ad24ae3b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca4a1f56efa4637ff33faa20e93829b44f58688524ed6ea84469cf6259fdc180
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26C1D631E4CA4A8FEB95EB2C88567A577E1FF59340F1401B5D44EC7296DE24EC42C781
                                                                                                                                                                                                                                                                        Function 00007FF886A033D7 Relevance: .4, Instructions: 372COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6dddcc4f5099664a061001bbb73fbf92cb42760937dd4a509133c3052de7d9e8
                                                                                                                                                                                                                                                                        • Instruction ID: 47253b418f812698918a0d2e55e9a21b986ac7347965b2ca3e7c94757f12dcb9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6dddcc4f5099664a061001bbb73fbf92cb42760937dd4a509133c3052de7d9e8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8AC1E826D0DBD68FE7469BACA8A62F97BE0FF55754B0800B7C088CB193EC285C45C352
                                                                                                                                                                                                                                                                        Function 00007FF886A033E2 Relevance: .4, Instructions: 370COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7f7a948e11a5cdcec1d64f5372e37ea607614c4c74b0cee70cfc6b5b9704fe4e
                                                                                                                                                                                                                                                                        • Instruction ID: 8d240049da150c7a881f0bd5cafb41805dbfc9009fad1b882886565dfef52d8b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f7a948e11a5cdcec1d64f5372e37ea607614c4c74b0cee70cfc6b5b9704fe4e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77C1E726D0DBD68FE7469BA868A61F97FE0FF56754B0800B7C088CB197EC285D45C352
                                                                                                                                                                                                                                                                        Function 00007FF8869F9F9D Relevance: .4, Instructions: 360COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1b314435499eae2fcae5d80c19855653ba7c9341acf27e87c9aea6b37656a9bb
                                                                                                                                                                                                                                                                        • Instruction ID: badee5bf8500c508e0495b25f9fe58f48c48c37042426b5e1903659b20a9c37c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b314435499eae2fcae5d80c19855653ba7c9341acf27e87c9aea6b37656a9bb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27A12D25F1DA860FE7959A7C686A2B47BD1FF99690B0801FBD44DC72D7DC089C06C392
                                                                                                                                                                                                                                                                        Function 00007FF8869F86DA Relevance: .4, Instructions: 351COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0a9769140434fec4aed32e53f0a15e7eff58aecbcabbf25d38bcee553b80e7b0
                                                                                                                                                                                                                                                                        • Instruction ID: 8ad3fd2b765748b6c6739efe5a32350db5c1c3bc6a1958fd1fc60800136f9610
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a9769140434fec4aed32e53f0a15e7eff58aecbcabbf25d38bcee553b80e7b0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35C1CF31D0969A8FE7A5DB68DC59BE8BBF1FF46350F0501BAC04DDB2D2CA285846CB41
                                                                                                                                                                                                                                                                        Function 00007FF886A0C990 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 10e9d21307539089efcbf20a80136b84915ebffd34ed4c8f152b142f393e6fce
                                                                                                                                                                                                                                                                        • Instruction ID: 71f338068e9ae11cca5ad7e56577964ec9ab237616799adc42578c9dc0423d1a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10e9d21307539089efcbf20a80136b84915ebffd34ed4c8f152b142f393e6fce
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FA1C571A1CA488FEB58DB1CA8566B877D1FF99750F04017EE14EC32A2DA25AC46C782
                                                                                                                                                                                                                                                                        Function 00007FF886A0C92D Relevance: .3, Instructions: 348COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 06f83906c883b3eae26d02d4546465a1237d09aca8e719e6f3f2a5dba17beaad
                                                                                                                                                                                                                                                                        • Instruction ID: 5b07b64fae6c5fa5350c50e72bbd3e79bec054e94d1699d11975030dc1aea881
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 06f83906c883b3eae26d02d4546465a1237d09aca8e719e6f3f2a5dba17beaad
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9B1D331A1CE4A8FEBA4DA18D4566B937E1FF98394F45417AD50ED3186CE29EC82C780
                                                                                                                                                                                                                                                                        Function 00007FF886C0CD22 Relevance: .3, Instructions: 338COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b0db9dc7c1d360e96948078af658a3f300571c0599e3c1ee949f089d3564472a
                                                                                                                                                                                                                                                                        • Instruction ID: 855917398e7608555b76fc5333e026e11f0a4960b21eafded639f9f65f014e00
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0db9dc7c1d360e96948078af658a3f300571c0599e3c1ee949f089d3564472a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60A14531A0DB854FE7A5962898557B57BD2FF8A350F0401BED48DC7292CE29AC46C383
                                                                                                                                                                                                                                                                        Function 00007FF886A03BF8 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4c9c5e17155df5dececc9567edcd99955b036d42c23878a5777b1320b90d31ee
                                                                                                                                                                                                                                                                        • Instruction ID: 642503d77d0368e61cf2664084df67da93105bbfc2f2fcee108b9b14442e1b78
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c9c5e17155df5dececc9567edcd99955b036d42c23878a5777b1320b90d31ee
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83A1143061CA498FEB5AEB2CD485A7577E1FF59354B1405BDC08EC72A6C926FC42C782
                                                                                                                                                                                                                                                                        Function 00007FF8869FB8ED Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d76f9322de8d5c6b6f93f9371c1489012d5efe245671becdc64fac1c29ce2e91
                                                                                                                                                                                                                                                                        • Instruction ID: 4af6acc19c8b563aaca065a68fdd2a237c496581a6168ee88da7d5ecdaac1142
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d76f9322de8d5c6b6f93f9371c1489012d5efe245671becdc64fac1c29ce2e91
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EFA10530A0CA4A4FEB95EB2C94566B577E1FF89350F4441B9C48EC7297DE28EC86C341
                                                                                                                                                                                                                                                                        Function 00007FF8869FDE79 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0994fe01b8fbac255700115627bd2e0c19fc032fe47a6c520cde7d1f6b9ef066
                                                                                                                                                                                                                                                                        • Instruction ID: e29d583a4372ab16eb2ee402252e150950dd8487936fde8ff0bd80ad206773f5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0994fe01b8fbac255700115627bd2e0c19fc032fe47a6c520cde7d1f6b9ef066
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22911531A1CA864FE749EA2CA85997477E0FF99750B0501BEE08EC71E3ED14EC46C782
                                                                                                                                                                                                                                                                        Function 00007FF886C01550 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8571848f47651770de6c6eabc649b90d4d4c2f9be4855309fe7a77437dee2096
                                                                                                                                                                                                                                                                        • Instruction ID: 9d160013e3423ee1cae839f6e9d3de6a7e891b293b90afbbf028d42d6d2567b9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8571848f47651770de6c6eabc649b90d4d4c2f9be4855309fe7a77437dee2096
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A691F331E1CE4B4FEB5AA7689559ABA77D2FF94750B8400BDD00EC72D2DD29BC05C282
                                                                                                                                                                                                                                                                        Function 00007FF8869FCCC0 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5b7c08d31eb6c75ed46076f5d154896acef565d757d42aa89dbb5baae9bf91b6
                                                                                                                                                                                                                                                                        • Instruction ID: 7c1ba8f317599f6cb35a48f2cf355a9917e07eb9b00ad8791ce4cd3dbd12c92b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b7c08d31eb6c75ed46076f5d154896acef565d757d42aa89dbb5baae9bf91b6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DCA1A371E18A8A8FEB95EBA8D8697BCB7E1FF55740F040179D00DD72C2DE286C458B42
                                                                                                                                                                                                                                                                        Function 00007FF886C02CA9 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5c572c2fd8033d0d5f5635f0894552df6ec9504d1d7df8554206241f5f7d4371
                                                                                                                                                                                                                                                                        • Instruction ID: c88a339c624eb0cf03857f3d6febd943e091e6cb79d4893d02dda2233805dc19
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c572c2fd8033d0d5f5635f0894552df6ec9504d1d7df8554206241f5f7d4371
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB913831A0DA8A4FE356A73C98666B57BE2FF56750B0401FAC459CB2D7DE0C6C06C382
                                                                                                                                                                                                                                                                        Function 00007FF8869FE970 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f936ac60ac54ada5d18366d95fff10a592cbbf762bfc8c389ac484d60b57cda4
                                                                                                                                                                                                                                                                        • Instruction ID: 341c3c07d24ed8d8972dc37757bbd09bcf21455b581dc2793d0ae62442415746
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f936ac60ac54ada5d18366d95fff10a592cbbf762bfc8c389ac484d60b57cda4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59814B32B1CD0A4FE694FB1CA45A7B973D2FF993A0B0501BAD44EC7296DD199C438382
                                                                                                                                                                                                                                                                        Function 00007FF886A04894 Relevance: .3, Instructions: 305COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: aa99afe75bd34142d08acdfdc7c46f6719f8360724194204caec889bd6579f99
                                                                                                                                                                                                                                                                        • Instruction ID: 689b0bb5b00510235f6e46f8881cde44946747f769925348067c88917c6b509b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa99afe75bd34142d08acdfdc7c46f6719f8360724194204caec889bd6579f99
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93910430A2CB4ACFD758DE2894865B677E0FF95750B24067DD08AC7196DE28FC42C782
                                                                                                                                                                                                                                                                        Function 00007FF886C09F19 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a98a37b92828e0b6fcc87f460b9a87aea82c76b37409265ad9b3491413475315
                                                                                                                                                                                                                                                                        • Instruction ID: 3abbea69273fc3f96a961304530466e49248e7994c30d35c536c8b39389591ed
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a98a37b92828e0b6fcc87f460b9a87aea82c76b37409265ad9b3491413475315
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4912431A1C6874FE3599A6888552B877E2FF96344F1441BAD88BCB1D7DD2CAC86C343
                                                                                                                                                                                                                                                                        Function 00007FF886A03C20 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 23668aef076e680621de79ad2641db2255c104be438df02246e5a4b6016330c8
                                                                                                                                                                                                                                                                        • Instruction ID: 8b6c6ebea49e2a73386652084098409ac19432dc6ecba558df4cc19954907ea4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23668aef076e680621de79ad2641db2255c104be438df02246e5a4b6016330c8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2791F430A1CB8ACFD755DB2894866B677E0FF95750F14067ED48AC7292DE28F842C782
                                                                                                                                                                                                                                                                        Function 00007FF886C035E0 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a203adc311b5271b982721b77f89c1193c243d4a4fcde65254692b93d428ce58
                                                                                                                                                                                                                                                                        • Instruction ID: d59a4f37e0502f28bc2dd6768ba5206457c4be2f1ed5904382606dae6bb81529
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a203adc311b5271b982721b77f89c1193c243d4a4fcde65254692b93d428ce58
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C091E731A1C94A4FE795DB2CD8647A97BE2FF99340F0801FAC04DD7296DE299C46C782
                                                                                                                                                                                                                                                                        Function 00007FF8869FD469 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 65a6f23341f45d86e7835c2d0a0e4620a598b767edb8058e9517cc537e65c2be
                                                                                                                                                                                                                                                                        • Instruction ID: 146dde30dd80658b9ae30ebee601d6f9da181a17222ca539fd97ebcb371a14d9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65a6f23341f45d86e7835c2d0a0e4620a598b767edb8058e9517cc537e65c2be
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34A1A571E18A8A8FEB45EBA8D8697FCB7E1FF55740F1401B9D00DC7292CE286D418B42
                                                                                                                                                                                                                                                                        Function 00007FF8869F73E1 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0af99b806aa15a0647a07c5eca8191197124f8d8bed157ae0ce006b45e16c5d5
                                                                                                                                                                                                                                                                        • Instruction ID: c2f1a9228c4f8d934ae12d6490e12570d7db1036d4ab5c06c5808350a225ad10
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0af99b806aa15a0647a07c5eca8191197124f8d8bed157ae0ce006b45e16c5d5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17B11870D08A5D8FDB95DBA8D899BEDBBB1FF59300F1441A9D00DE7291CB38A981CB41
                                                                                                                                                                                                                                                                        Function 00007FF886C04B32 Relevance: .3, Instructions: 288COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 43e7b2ec9899fee342966806fc9214d83e42f3614cdefb431abed0fe343419c6
                                                                                                                                                                                                                                                                        • Instruction ID: 207c200cd6ecc5f6aaf9a431a27dbaf72761f137598caff0735fa18278b939f4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43e7b2ec9899fee342966806fc9214d83e42f3614cdefb431abed0fe343419c6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5815B22A0C7570BF745BABCB8626F637D1EF41764B08427AD0CDCA193ED19BC468297
                                                                                                                                                                                                                                                                        Function 00007FF8869FA015 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0293c60cdca48929cef9c182867da8f80c526912632c4295a2b877acf0047525
                                                                                                                                                                                                                                                                        • Instruction ID: a8c33e01f5f73aa9c9d9fe0131c2251e08214ba5ed6525e605930a657361f27b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0293c60cdca48929cef9c182867da8f80c526912632c4295a2b877acf0047525
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB91F93191CE9A8FE694EB28949ABB5B7E1FF55350F040679C08EC7192DE28EC42C743
                                                                                                                                                                                                                                                                        Function 00007FF8869F3FFD Relevance: .3, Instructions: 285COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 868910b911fe7ba3427abdecfa89eaf8ee6b14d8dc729bec844694397d27df2b
                                                                                                                                                                                                                                                                        • Instruction ID: 2a051f3aaa8332e83e9b23ebe702c34fb71305d4658e81226b2724eba1b27268
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 868910b911fe7ba3427abdecfa89eaf8ee6b14d8dc729bec844694397d27df2b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E91F030D0969D8FE764EB64C8492FCBBA0FF56750F4502BAC04DE72D2DA396856CB81
                                                                                                                                                                                                                                                                        Function 00007FF8869F7DB9 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7964feb7cab68c145e4eacd4d7886337a2268baa9c27dcf8c9cbd60c0b158b4f
                                                                                                                                                                                                                                                                        • Instruction ID: 84b3924bd2e89cc579e9e33a222697b006fdc71e049f49ecf151e936fb71696b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7964feb7cab68c145e4eacd4d7886337a2268baa9c27dcf8c9cbd60c0b158b4f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8918E71D18A8A8FE794EB68D859ABDB7E1FF49340F4106BAD04DD71D2DE28AC01C740
                                                                                                                                                                                                                                                                        Function 00007FF886C050D3 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 774d072b79c1f680d10dfef4acd97f7a7df0d250eb80164e54356aa61f8b1a51
                                                                                                                                                                                                                                                                        • Instruction ID: b2bc701a954defcbcbad3fb9886094285c2f5ae3c4d4d6ecf9af131d77a11cb3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 774d072b79c1f680d10dfef4acd97f7a7df0d250eb80164e54356aa61f8b1a51
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08816B31A1CB974FE756E7A89465AFA7BE1FF41754B0800BAD08DCB193DD28AC05C392
                                                                                                                                                                                                                                                                        Function 00007FF8869F4610 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3dda2421d8520df2e4e0e47e0606525f172bfe7efc6faa1c023bd95538413475
                                                                                                                                                                                                                                                                        • Instruction ID: 0d3402d4b538a9d796ba0ecf810cd041df0227af7080a0e3527c97e3fe764b66
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3dda2421d8520df2e4e0e47e0606525f172bfe7efc6faa1c023bd95538413475
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C919370918A8E8FDB84EF68C859BEEBBF1FF59300F1405B9D049D7296DA34A846C741
                                                                                                                                                                                                                                                                        Function 00007FF886A09C20 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 542b46ea9244ac89c7951ffb9b80187c3cfe1909886769ce48d31d320ffb4cc3
                                                                                                                                                                                                                                                                        • Instruction ID: a1e10e6311cdfb4432b806d8c1444a070c9ca4c7c07bd825042c3533a6bde03e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 542b46ea9244ac89c7951ffb9b80187c3cfe1909886769ce48d31d320ffb4cc3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E71D431E1CA4A8FE7A9D72884AA6B577D1FF59350F1414BED08EC3292DE28BC41C742
                                                                                                                                                                                                                                                                        Function 00007FF886A0549D Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a4c82eeb467942b4b986c243dac3a2980a9aa46280bcd42211fb7566e7aa23cb
                                                                                                                                                                                                                                                                        • Instruction ID: b180b42983a956e8e69a4bfd2de718e5b0ee425eb29d5e4ca4eb217c60be9c8f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4c82eeb467942b4b986c243dac3a2980a9aa46280bcd42211fb7566e7aa23cb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A513C2170DA4A4FE75AA61C68526F57BD1FF46371B0402B7D48DC7197DD0AEC438391
                                                                                                                                                                                                                                                                        Function 00007FF886C09BF8 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1eee9f34bd453d8ed7e7cd1963c5f5693525d0a0539affd9f9eb8736a7ad9f83
                                                                                                                                                                                                                                                                        • Instruction ID: 03f6b0136fa3c3bb6960317aa2b30d5fca42be59a517f2eae49fe68341e79cf3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1eee9f34bd453d8ed7e7cd1963c5f5693525d0a0539affd9f9eb8736a7ad9f83
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F271F570D08A5D8FDB98DF58C885BE9BBB1FB59300F1092AAD04DE3251DB74A985CF81
                                                                                                                                                                                                                                                                        Function 00007FF886C0C9CA Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c4a980f17ca4cd431e613d31eb270e53095777b5552ab48ff75c0ee08263720c
                                                                                                                                                                                                                                                                        • Instruction ID: 75f49994c227665e918842f75fc41064d6f68ae0d0447ce6fe6e427b55a2f0cc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4a980f17ca4cd431e613d31eb270e53095777b5552ab48ff75c0ee08263720c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E710D31A189498FDF94EF18D895BA977E2FFA8744F540169E40DD7286CE34EC42CB81
                                                                                                                                                                                                                                                                        Function 00007FF8869FD76E Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 39cc90f2cc59e1776ba68b5ec8835797af3b0f57f15a95cc649259abf5084bd8
                                                                                                                                                                                                                                                                        • Instruction ID: 04a04e8b6a43fc8723fa5399fb04e60b35eae9771307c3ea29d4073dc67e9204
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39cc90f2cc59e1776ba68b5ec8835797af3b0f57f15a95cc649259abf5084bd8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1511B72E0CACA4FE355E66C9C591B97BE4FF46360B0501BAC04AC71D3DD196C4AC791
                                                                                                                                                                                                                                                                        Function 00007FF8869F4667 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9b9a2b89f290fd507dfe77203c371a319693e295ecaad984b76d0e5cc5bfbf82
                                                                                                                                                                                                                                                                        • Instruction ID: 7826a7c83efe1e17220237764ddd28c8a6ca3233af30bea447144ed6e21bf794
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9b9a2b89f290fd507dfe77203c371a319693e295ecaad984b76d0e5cc5bfbf82
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4815270918A8E8FDB84EFA8C859BEDBBF1FF59300F1405B9D449D7296DA34A846C740
                                                                                                                                                                                                                                                                        Function 00007FF8869F8D32 Relevance: .2, Instructions: 224COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5d7d7cac49e9d6820a95c948c32ae0cf5c9ebeeed8426446d99a74b81a5684ef
                                                                                                                                                                                                                                                                        • Instruction ID: 08fd03e1bdee1cb2254d7704f784d578633dfe7724e9669cce0b730542cc5474
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d7d7cac49e9d6820a95c948c32ae0cf5c9ebeeed8426446d99a74b81a5684ef
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8471C07090DA998FDB85DBA8C859BEDBBF1FF56300F1501AED049DB292CA395846CB40
                                                                                                                                                                                                                                                                        Function 00007FF886A04BF0 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 47246d53978f4ebbc55637565b06f25f1507a91fae5899bcd43364fbdee60f6f
                                                                                                                                                                                                                                                                        • Instruction ID: d6384917031afa74a540ae84c8ba05195e5338aab5f9b71dd0bd59a1bcf24900
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47246d53978f4ebbc55637565b06f25f1507a91fae5899bcd43364fbdee60f6f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7513731B08D598FE7A9E72C94597B977D1FF98780B0801FAD44EC7292DE18AC46C382
                                                                                                                                                                                                                                                                        Function 00007FF886C05438 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 42218841d77e493fac42c2f0ee362cf5bc7f584f5b5e41aa47ccd67d7377c1d0
                                                                                                                                                                                                                                                                        • Instruction ID: 0d9cc53a6100734d47569967107077545db395ea8f853ad214dbe1564c4be5f7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42218841d77e493fac42c2f0ee362cf5bc7f584f5b5e41aa47ccd67d7377c1d0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0510571E1CE4B4BE7A9966CA5A66B973D3FF94784B84007DD00EC72D7DD29BC028242
                                                                                                                                                                                                                                                                        Function 00007FF8869FE648 Relevance: .2, Instructions: 214COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 56bda5fcf59748ec18161f6310179975d17ab7a64e0a750a3eb9cc4214d58703
                                                                                                                                                                                                                                                                        • Instruction ID: 4f99e3559e07728cbee9cd2f735ccef204bdbedc7c654812758def8b001a2509
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 56bda5fcf59748ec18161f6310179975d17ab7a64e0a750a3eb9cc4214d58703
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67510531618E0A8FD7689B1CD8C5A7573E0FF99354B140679D44EC3262DE29FC82C792
                                                                                                                                                                                                                                                                        Function 00007FF886C001D8 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 251f7e0b7071062fac8e05662c94994d56afb1a3de9afeda7685fe613fe8f12c
                                                                                                                                                                                                                                                                        • Instruction ID: d23dda6752d4d37aea33699928124c4ab5e22323f33b67b74b34a9afbf494bf4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 251f7e0b7071062fac8e05662c94994d56afb1a3de9afeda7685fe613fe8f12c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B612461A0DB974FE756967C886A2A57FA1FF46294F0801B6C088CB0DBDE1CAC06C391
                                                                                                                                                                                                                                                                        Function 00007FF8869F4C41 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 63a2979136eb3b28eaf57cf9b75bb3715d0d786ed83842b275e6dbf5e54b65d9
                                                                                                                                                                                                                                                                        • Instruction ID: c13daf7a7dbf37c5bf15230bfcfab2ebcbccf6a06ad421dc1d21b2e768303cc9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63a2979136eb3b28eaf57cf9b75bb3715d0d786ed83842b275e6dbf5e54b65d9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F61D271D0DA894FE796DB6C98596E97BF0FF49740F0501EAC08DEB2E2CA286C46C741
                                                                                                                                                                                                                                                                        Function 00007FF8869FC65D Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9699e230a708f8c0a9b5c428f44e2c321183f299cb405074fb3987b6b74e8223
                                                                                                                                                                                                                                                                        • Instruction ID: d21f349b884da13a90d6e40d6df02c31267c076865f2ddbfc29ec6a6170a9850
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9699e230a708f8c0a9b5c428f44e2c321183f299cb405074fb3987b6b74e8223
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF51933075D8094FEAA8EA1CD85AB7977D1FF59741B1100F9E48EC72A2DD15EC42C781
                                                                                                                                                                                                                                                                        Function 00007FF886C0F5A1 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e404805f8bcf2a8a0b6ca8102ebbfd4c5fdd2fe66ae79d7331e29e5af032b686
                                                                                                                                                                                                                                                                        • Instruction ID: 3348091bb50ff91ba531101108443a6e1620e3d1b627a3a1d8b45c1c981a56f9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e404805f8bcf2a8a0b6ca8102ebbfd4c5fdd2fe66ae79d7331e29e5af032b686
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3610E71A18A498FDF84EF1CC895AA93BE1FF69744F540169E44DC72A2CA34EC85CB81
                                                                                                                                                                                                                                                                        Function 00007FF886C05366 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bdd2fcd60d1c6184a7e6a6701a96556d3d607e9be9608c0cb0ad668c08400700
                                                                                                                                                                                                                                                                        • Instruction ID: 529572bf4bf0ac597df62d3dac29e37cdc095df437dc8cc8e1c8773dcea4fb45
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bdd2fcd60d1c6184a7e6a6701a96556d3d607e9be9608c0cb0ad668c08400700
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4511721F1CE5B4BEB59A66CA5A56B473C3FF98B84B844079C00EC72C7DD29FC068252
                                                                                                                                                                                                                                                                        Function 00007FF886C0700E Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 51ec99552a412f6d54827b1371eaf776cab57b4344023a65671d12cc9ffd537b
                                                                                                                                                                                                                                                                        • Instruction ID: a6688f9e41316dd28ea54fd4c2693d23a09c304d409f7b04e7990e40cb5c2244
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51ec99552a412f6d54827b1371eaf776cab57b4344023a65671d12cc9ffd537b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB51823161CF498FDBA8EF18C494A66B7E2FFA8344B04466AD14EC7251DA35FC41CB92
                                                                                                                                                                                                                                                                        Function 00007FF8869F6451 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c8adbba122fecbf2959dde1e1120e803f3f8d209e4ee9a74aa7a66bc6fe0bc44
                                                                                                                                                                                                                                                                        • Instruction ID: d9bd216f135eda86591a77fed37517d7452d4720325d5f51f4edf1724148abaa
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8adbba122fecbf2959dde1e1120e803f3f8d209e4ee9a74aa7a66bc6fe0bc44
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5611930D0D65A8FDBA9DB68C8997ACBBB1FF15340F5550ADC04EE7292CA346885CB40
                                                                                                                                                                                                                                                                        Function 00007FF8869FA960 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c665c8893046dcbf48b14ea1f4de0cbfac50d47762b3d2f31048a8ad9d22aab8
                                                                                                                                                                                                                                                                        • Instruction ID: 696b7107ddc7ff8a086d82d20c916c9710c66ccfbfe866ae7e08abb59e1657dc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c665c8893046dcbf48b14ea1f4de0cbfac50d47762b3d2f31048a8ad9d22aab8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E451C816D4EAC18FE35641A86D29179BFE1FF465B070901FBC089CB1DBD8099C4AC391
                                                                                                                                                                                                                                                                        Function 00007FF886C000F2 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bbba43f4ebdf0a69f50280d0aa0eb27dc5b19cf165b7cba2c1818cb90e96470d
                                                                                                                                                                                                                                                                        • Instruction ID: e1cf4e95e824a8f43f99c4fac6cd66441ca1837d964e86652506212ca4cf6aaf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bbba43f4ebdf0a69f50280d0aa0eb27dc5b19cf165b7cba2c1818cb90e96470d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5511A26A1C2530AF711B6BCB5A26F53790DF417A9F084277D0CCCE093ED1C698583A6
                                                                                                                                                                                                                                                                        Function 00007FF886C0A25A Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 023a73c7154c2f9f465449f7a0b46e8da8687065f73c18311f6d8c2ee2c170ad
                                                                                                                                                                                                                                                                        • Instruction ID: 71b113650f10260264218f8812b5e8ca651de35b38848d9f27cabc7ac2f1046c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 023a73c7154c2f9f465449f7a0b46e8da8687065f73c18311f6d8c2ee2c170ad
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C511020A1CA954FE7699778946A6F57BE2FF45340F0884BAC48ECB1D3DD1DAC42C382
                                                                                                                                                                                                                                                                        Function 00007FF8869F382E Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3d0e95d9f83dcd6cfaa6bdb504dfdefce6404ed8764c093d5b1e254826e1842e
                                                                                                                                                                                                                                                                        • Instruction ID: f759c67bf6a0e52b168cecc3812ea5ba0fe66cafc17104fff8d9823d10704487
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3d0e95d9f83dcd6cfaa6bdb504dfdefce6404ed8764c093d5b1e254826e1842e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9951C331D0DA899FDB52EB68C8596EDBFF0FF56350F0500BAD089DB192DA2C9845C781
                                                                                                                                                                                                                                                                        Function 00007FF8869F5B6A Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d01820dae561905ebca74bba85740a2fa9d28fdb50a01e3740482f2a4e5dcfa1
                                                                                                                                                                                                                                                                        • Instruction ID: 8da3f54dc4998fbdebc3d39194e204762e0193a6246137c2e6b9d4706e350013
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d01820dae561905ebca74bba85740a2fa9d28fdb50a01e3740482f2a4e5dcfa1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF51E03084E6C94FD752DB788C69BE97FF0EF46240F0801EED089DB1A2CA694886CB51
                                                                                                                                                                                                                                                                        Function 00007FF8869F45FF Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8ff9a7c0d2165b6dcc2ee075514c4db96676169948b321e076e3a670607877b7
                                                                                                                                                                                                                                                                        • Instruction ID: 91916b19391f776b6c9cbdc0e791a98ebc7956df2da9d926393510f822dfe841
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ff9a7c0d2165b6dcc2ee075514c4db96676169948b321e076e3a670607877b7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E519134109A468FDB99EB28C0A5EB677E1FF5535472448ADD08ECB6D2CA39EC47CB40
                                                                                                                                                                                                                                                                        Function 00007FF886C00FF4 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f6bd8feb4bfaa01c1f85863dbff1845ae21de83e5b5b7aa44072760413a9880b
                                                                                                                                                                                                                                                                        • Instruction ID: d62f04fd7807bdb5c2e3ade391dea142bb46940ab032255054429765c9aa7c0e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f6bd8feb4bfaa01c1f85863dbff1845ae21de83e5b5b7aa44072760413a9880b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D41F531B1CF898FDB68DA1C984657AB7E2FF98750B14027AD489C3655DE24FC128782
                                                                                                                                                                                                                                                                        Function 00007FF886C01D16 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7e173432f40338426ba6be5724194488c990869c44270d436fca994d51979109
                                                                                                                                                                                                                                                                        • Instruction ID: ef9a4aef805e05b2f1831c6af0dc1ae2f9cc0e060ee96903dafcd051f7fbe114
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e173432f40338426ba6be5724194488c990869c44270d436fca994d51979109
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C651F73061D6469FE355DBB8C45ADBEBBA2FF85354B2405FCD04A87193CE29AC02C741
                                                                                                                                                                                                                                                                        Function 00007FF886C01D22 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7e173432f40338426ba6be5724194488c990869c44270d436fca994d51979109
                                                                                                                                                                                                                                                                        • Instruction ID: ef9a4aef805e05b2f1831c6af0dc1ae2f9cc0e060ee96903dafcd051f7fbe114
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e173432f40338426ba6be5724194488c990869c44270d436fca994d51979109
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C651F73061D6469FE355DBB8C45ADBEBBA2FF85354B2405FCD04A87193CE29AC02C741
                                                                                                                                                                                                                                                                        Function 00007FF8869F05A0 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5e01dff824829e670c45720d8761f81b3118c0e822e30646430078fdb1a75332
                                                                                                                                                                                                                                                                        • Instruction ID: a43dc943b370df242402af56b732a32a74d893d7516f57830823a709aea75d30
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e01dff824829e670c45720d8761f81b3118c0e822e30646430078fdb1a75332
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2513630D196998FEB54DBA8D8996FDBBB1FF49340F51017AD40EA72D2CA386841CB81
                                                                                                                                                                                                                                                                        Function 00007FF8869F5DB0 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: aeaa41c57a572b06eb358ebfd8654de094a89434015ce68e42f45ac6e2b65f0f
                                                                                                                                                                                                                                                                        • Instruction ID: ef777199a76192456e461511cd63fdbf3726f1284103c5901324ce3705b6719f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aeaa41c57a572b06eb358ebfd8654de094a89434015ce68e42f45ac6e2b65f0f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01519E30E096898FDB95DB68D8996ECBBB1FF55310F4441FAD44DEB292CA34A842CB41
                                                                                                                                                                                                                                                                        Function 00007FF886A0AFC5 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cda925708f1f5716c309353819e7f08f69c68b694e3eb37f2da2048ddea5b62d
                                                                                                                                                                                                                                                                        • Instruction ID: 085c17515f408432dda2d0e3a2e4567fb7a0611f123217f8389ced5de6740ece
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cda925708f1f5716c309353819e7f08f69c68b694e3eb37f2da2048ddea5b62d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F51E370D0865D8FDB98EFA8C4957EDBBB1FF59304F50006AD009E7292DB396985CB11
                                                                                                                                                                                                                                                                        Function 00007FF886A03C30 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1b0b451249b67f8450f8a38f67218ce01bac619b70d728563a617b4f32e6c0ed
                                                                                                                                                                                                                                                                        • Instruction ID: 2aeecff72a2f2d5d488ccac157b443a04b29ff6f79f8d84bc63549351ff0b81a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b0b451249b67f8450f8a38f67218ce01bac619b70d728563a617b4f32e6c0ed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D41F230618E0A8FD769AF18C886A6573E0FF98344B54067DD44EC7296DA39FC82C782
                                                                                                                                                                                                                                                                        Function 00007FF886A03DF0 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c670ec9f75f5c05dc0b983a2e41239187200f5d7701d4880a8473a9b29012b8d
                                                                                                                                                                                                                                                                        • Instruction ID: 7ccde3ad12bcfab9911ca7793c73ce0bbf4883e90a7bf69fbdda16916a3c5b3b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c670ec9f75f5c05dc0b983a2e41239187200f5d7701d4880a8473a9b29012b8d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE41E531F08E0D8FABA4AA6DA4D66B977E1FF69754F04027AD44FC3286DD24AC02C740
                                                                                                                                                                                                                                                                        Function 00007FF8869FF5C4 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 19b85a3f616e4392e9e38740468fe53936ae95848ffdef2bb4be28d9a6b192cb
                                                                                                                                                                                                                                                                        • Instruction ID: 6bbee2d1de3fd90971dbcc0b781016b4c6420ad833bdced3ee10422e94a37348
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 19b85a3f616e4392e9e38740468fe53936ae95848ffdef2bb4be28d9a6b192cb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2512D71E18A5A8BEBA9DA5CDC997E8B3E1FF58750F0001F5D00DE3296DE346E818B40
                                                                                                                                                                                                                                                                        Function 00007FF886A0C9C7 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ff963066e98387cf338f6e15ddee0b493291346fd8f546d450e93e55cd42e396
                                                                                                                                                                                                                                                                        • Instruction ID: 9f283bd92ebcdf20e0740710ad751990b3d0e936613958739ac658fb623eaf5a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff963066e98387cf338f6e15ddee0b493291346fd8f546d450e93e55cd42e396
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D51F630A1894D9FDF94EE18C896BAA77E1FFA8394F154275E40DD3255CA34EC81CB80
                                                                                                                                                                                                                                                                        Function 00007FF8869F2F38 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 00ebc225d5bfa3a881a5f510a90fa80bfb9b15106994545aed2667a232a186ab
                                                                                                                                                                                                                                                                        • Instruction ID: d2bfd816822eff6d3d6b59d9799ec72eebc3894a4729bf572aa4767f172c43e5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00ebc225d5bfa3a881a5f510a90fa80bfb9b15106994545aed2667a232a186ab
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF510670908A1D8FDF94EFA8C855AEDBBB1FF19344F100169D40DE3291DA39A881CB81
                                                                                                                                                                                                                                                                        Function 00007FF8869F84C1 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9a2e09f31e7ced924d83585d300d62ad4a7c4423deb7a482fac8df88a1a7f8ed
                                                                                                                                                                                                                                                                        • Instruction ID: 9d50dfb5cd41b086489383dcc2366501fa9ebaf6c4a062fbc3c7bde783adc2db
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a2e09f31e7ced924d83585d300d62ad4a7c4423deb7a482fac8df88a1a7f8ed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3551D13180D68D8FEB96EB68C9596EDBBB0FF06350F0500BAD48ADB1D2DA286845C741
                                                                                                                                                                                                                                                                        Function 00007FF8869FA010 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cc02907b11bf5335552312af99aed23a0ee11088b1c00e2f905afc69a8666bea
                                                                                                                                                                                                                                                                        • Instruction ID: 3acb92aa3104340896448580f49f5a8fb0da72275c39411b09f042f1f91da654
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc02907b11bf5335552312af99aed23a0ee11088b1c00e2f905afc69a8666bea
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B741B23061CA868FDBA6EB2CC495E7277E1FF59340B0445A9D08AC72A2CD25FC45C751
                                                                                                                                                                                                                                                                        Function 00007FF8869F35C0 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f9ea75a5dfbd83cc5324eee68a7d365d36796dce549d02c1d9c8ed4d13b23d5f
                                                                                                                                                                                                                                                                        • Instruction ID: 04af1be010c52e047d00fb6754e2d1cc59f36e688105197d8e74a232f808b44e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9ea75a5dfbd83cc5324eee68a7d365d36796dce549d02c1d9c8ed4d13b23d5f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4541A56190E5CA5FE355D77898AE6B97FE0EF46250F0501FEC49DCB2E3DA182806C741
                                                                                                                                                                                                                                                                        Function 00007FF8869F3C3D Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5863f100200b40c1bae3bdea16ce9d4e4d9caac99fa99961d97d311417ada708
                                                                                                                                                                                                                                                                        • Instruction ID: 760903051e1b971afbd264325df136790db8d2e8f08bf21cea1ea1502e80ca6e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5863f100200b40c1bae3bdea16ce9d4e4d9caac99fa99961d97d311417ada708
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3417B30E0969D8FDB54DBA8D8596EDBBB1FF45340F4001BAD44DE7292CA386846CB81
                                                                                                                                                                                                                                                                        Function 00007FF886C0552F Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 10c4e1e2566a256c21dc04ba68c249b1e9df073a5bb0107dadde46e6450d68d6
                                                                                                                                                                                                                                                                        • Instruction ID: 9da73a70befbd1a9b3acfb3d02bac899b8ef1e6a7b6f3b5cd91e9184d0ec321a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10c4e1e2566a256c21dc04ba68c249b1e9df073a5bb0107dadde46e6450d68d6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B3410326E2CE4B4BEB69965CE6956B533C3FF94790B840079C00EC7286DD29FC02C642
                                                                                                                                                                                                                                                                        Function 00007FF886A02CA8 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 060532ad03620df0c58e1f60424162b2e931efe9d4ee71ea7a49071a08920d45
                                                                                                                                                                                                                                                                        • Instruction ID: fcc902a6bc9757f07fb008435b6bb92d015109af509a7ca3d8249c896b34f275
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 060532ad03620df0c58e1f60424162b2e931efe9d4ee71ea7a49071a08920d45
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C031C772E18D5A4FE3D4BA3CA41A2BA33D0FF88755F04057BD84ED7295ED589C828346
                                                                                                                                                                                                                                                                        Function 00007FF8869F5771 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 457741c3bea2080c8e84ff139a56bf03dfa14e3f3c75b77c4121f5ab11a7e39b
                                                                                                                                                                                                                                                                        • Instruction ID: 28c21bc190737441b7822de95228c1fce5f7a1b0c6ebf9ce2280f2b1ee1a4c44
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 457741c3bea2080c8e84ff139a56bf03dfa14e3f3c75b77c4121f5ab11a7e39b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E41C070D0DA9D8FDB96EB68D8592EDBBB1FF5A300F1500BAD009E7292CA799C01C740
                                                                                                                                                                                                                                                                        Function 00007FF886A0402D Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f9341096846b373d4ce076ffa71720d313e49030971e2c72613b222d9d3d42ea
                                                                                                                                                                                                                                                                        • Instruction ID: d30c1858a3e6690f42681549919d21f991d6df6e2529a271994cf305f951a804
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9341096846b373d4ce076ffa71720d313e49030971e2c72613b222d9d3d42ea
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A731AB93E0D7D1DFE2569A6D68A60F66BD0FFA6A6071900FBC0C9C71A3D9091C16C351
                                                                                                                                                                                                                                                                        Function 00007FF886C0CF65 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3151f4ff46ba58554cd39aa2d550fc1dbd384e6a27077baf044a9104f893ba33
                                                                                                                                                                                                                                                                        • Instruction ID: 3eb83c99a1a0b41f896d86c61dc7079006d9974fd33bcd8b70b3c2575c8d846a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3151f4ff46ba58554cd39aa2d550fc1dbd384e6a27077baf044a9104f893ba33
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3319220A1DB984FE754961C9896B767BD2FF89750F0402AEE48DC3296DE24BC42C383
                                                                                                                                                                                                                                                                        Function 00007FF8869FBF69 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 38e7fab72fe45fdf5b0fc6c6a334c64fb990e04624c175f161033da6a0160e4d
                                                                                                                                                                                                                                                                        • Instruction ID: c422a1e6ea263ed13432cd102e53679c887fc86a8f4260ca257f0992ab669e94
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38e7fab72fe45fdf5b0fc6c6a334c64fb990e04624c175f161033da6a0160e4d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5131E321A1DBC64FD7969B2888652757BF1FF9629070A81EBC089CB1D7DE1CAC06C312
                                                                                                                                                                                                                                                                        Function 00007FF886C00B3A Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1592d3fef7bd940f9ea649e853cb8bc3aceb92e536e170e4bbff5d90048c64bb
                                                                                                                                                                                                                                                                        • Instruction ID: e5f6f1c156bc125abfccebb5a2e62125dc64595260d59613ecc4d4e89a0ba0ee
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1592d3fef7bd940f9ea649e853cb8bc3aceb92e536e170e4bbff5d90048c64bb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D941613062CE4A8FDB95EB28C454AA9B7E1FF58340F0145B9D48EC71A2DE38EC45C742
                                                                                                                                                                                                                                                                        Function 00007FF886C0BE76 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 389d38cb7aab473ffca1968d38124c9da37dc4a82128223a540117629ef164ad
                                                                                                                                                                                                                                                                        • Instruction ID: ae112822562e165df672e94faac5c492abeb7f361148cd54bcc52a82b81928b5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 389d38cb7aab473ffca1968d38124c9da37dc4a82128223a540117629ef164ad
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2316135E1C90A4FEB98EA58D491AF977E3FF68740B1041B9D01AC7286DE25FC42CB81
                                                                                                                                                                                                                                                                        Function 00007FF886A15B50 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 032ee460a471f7b354fc689c65bd40a63c691eba571b1a77a24e8fde37bf2f23
                                                                                                                                                                                                                                                                        • Instruction ID: 19b1b540599842b41059cb03c909b2f23a0abe06cdd6789674c6aa8a967dd8af
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 032ee460a471f7b354fc689c65bd40a63c691eba571b1a77a24e8fde37bf2f23
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8831C460A1DB854FE757A738885A6A57BE1FF46340B0940FBC48ACB1D3DD196C06C362
                                                                                                                                                                                                                                                                        Function 00007FF886A04068 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 24ab5fa51ebfa53def67d94178da7b51e8c4fb6a4b1fe78a08945da243aa0d88
                                                                                                                                                                                                                                                                        • Instruction ID: 0fe2978709ce6d501e2d6fe31b008fc2ab822ac0bd7561e113edebc930907716
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 24ab5fa51ebfa53def67d94178da7b51e8c4fb6a4b1fe78a08945da243aa0d88
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E21D631B1CD4E8FEAD9E91C65AA7B923D6FF98391B50417AD40DC3285DD1ADC028741
                                                                                                                                                                                                                                                                        Function 00007FF886C07960 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 67174c3e6999ad9095531a1bcb15ac6b6438ef2584c6c72d1427ab0e5da4c67c
                                                                                                                                                                                                                                                                        • Instruction ID: c2833ba57dbc5ee3282eebda78aa9b14de954bf0db328256c55cebda76209a65
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67174c3e6999ad9095531a1bcb15ac6b6438ef2584c6c72d1427ab0e5da4c67c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2831143014D6895FDB5AEB28C899AB67BE1FF56310F1404FDD049CB1A3D629EC41C3A2
                                                                                                                                                                                                                                                                        Function 00007FF886A02788 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3d3cc127936bdb9d56bc956455d79d32615e1ce3f9afd3660fd6e4332307a1c3
                                                                                                                                                                                                                                                                        • Instruction ID: 6d1731cfa0aa9661f5c48204912dca4b0840971b85cfa72569d813c4616140d3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3d3cc127936bdb9d56bc956455d79d32615e1ce3f9afd3660fd6e4332307a1c3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19317131E18A5E8FDB98DF1894566BA37E1FF98391F50017AD40ED3285CE25AC06C782
                                                                                                                                                                                                                                                                        Function 00007FF8869FAE10 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b73b4150e7da4a0acb0c2fc34615f948648cc683e60f9929023cc08e2418e81b
                                                                                                                                                                                                                                                                        • Instruction ID: d28980d947d85691ffc723404258b6b8c3d8eeb362fb71ef115bba26cfb9ca72
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b73b4150e7da4a0acb0c2fc34615f948648cc683e60f9929023cc08e2418e81b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D21E921E1CACA8FD395D72CD8692B577D1FF982A0709417AC08EC71C6EE1CEC028751
                                                                                                                                                                                                                                                                        Function 00007FF886A02B75 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a810f6f3b855653ca5dae75d6b11a90b0078e480ca7dd92716a957dd012cba28
                                                                                                                                                                                                                                                                        • Instruction ID: 30fbb03c83f53b7c6c55d6f7ab1be1bb2880e05364e26474cfa2079fa5f9fecc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a810f6f3b855653ca5dae75d6b11a90b0078e480ca7dd92716a957dd012cba28
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09214032F8D9954BE7A4953DBC962B8BBC1FF8566470802BBD50CC7292D816AC46C3C0
                                                                                                                                                                                                                                                                        Function 00007FF886A098C8 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ee5b8d9e030fae2cefb852eabfb20c8e6480214627ca1d2049f091db6b0182b5
                                                                                                                                                                                                                                                                        • Instruction ID: 3b3274d89c14d904bd3d2dd33fa68fb7ebc334e7d05132eb82a925f0867926a4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee5b8d9e030fae2cefb852eabfb20c8e6480214627ca1d2049f091db6b0182b5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31318E3154EBC68FD3478B6898652917FF0EF0726071A44EBC489CB0B7E6589C4AC752
                                                                                                                                                                                                                                                                        Function 00007FF886A14340 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 46f222d6b8a4b4efec2ac3f46ef187c858db13f1fc8f3824ff5247d24f3bf5a8
                                                                                                                                                                                                                                                                        • Instruction ID: e4fda213cd330c1996ce683f12c1414adc69a31a6307417a879da9595a5c5d2f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46f222d6b8a4b4efec2ac3f46ef187c858db13f1fc8f3824ff5247d24f3bf5a8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C31ED30A18A468FE769DA3CD486BA1B7D1FF54740F1445BCC48FC3296EA28BC82C780
                                                                                                                                                                                                                                                                        Function 00007FF886A03EF3 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7024ed0b3613830a3f6ad39817fe8ff5eb90e41174b5c8dd49757d232eb9bd51
                                                                                                                                                                                                                                                                        • Instruction ID: 9cad2f276c77c73654f691777379bbbe2958f75d2207b28f1e68aa594077f677
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7024ed0b3613830a3f6ad39817fe8ff5eb90e41174b5c8dd49757d232eb9bd51
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF21F331B1CE194FE6689A1CB84A2B573C0FB9C765B0002BFE84DD32A2DD155C0682C2
                                                                                                                                                                                                                                                                        Function 00007FF886A05DCD Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 32bfd6009b0f5229e01072d6f4102eef5c623437b67b9e3b03210e5c6beae0ac
                                                                                                                                                                                                                                                                        • Instruction ID: 25d7be42cdb81ac5bd09d4c959ddba82c14dbd88408c7f056b54acb82836839d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32bfd6009b0f5229e01072d6f4102eef5c623437b67b9e3b03210e5c6beae0ac
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2115B32B0DD494FE7D6A12C646A2B577D1EB9A6A571401BBD48EC3192DD158C038382
                                                                                                                                                                                                                                                                        Function 00007FF8869FE1E8 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6e96d63783aef991276b5d566eee5092776d6527347d411db41dd2a6a7a91b9d
                                                                                                                                                                                                                                                                        • Instruction ID: 26e9c5c09336f832ce61362cade259512d37088a53a810b7553579abeafb318f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e96d63783aef991276b5d566eee5092776d6527347d411db41dd2a6a7a91b9d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BD210731A08A464FE359FB3C94592B97BD2FF85350B0506BEC44EC71D7DE2C68028751
                                                                                                                                                                                                                                                                        Function 00007FF8869F09D0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 55459e2eef8ebe9cdc4fbfe1b2e363ff31d6bc52db2d511a5c60a331e3a5f50e
                                                                                                                                                                                                                                                                        • Instruction ID: a9692d9d9409f7e9b987cb00632e90f36e881cf0ef3231610f89a93b208a7a0f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55459e2eef8ebe9cdc4fbfe1b2e363ff31d6bc52db2d511a5c60a331e3a5f50e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37319A7090DA899FD752DB78D85A9EDBFF0EF46310F0405EED489DB193DA28A441C782
                                                                                                                                                                                                                                                                        Function 00007FF886C017A2 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c8b3b942c9c7be978c687c8190219c3908ac997b2f3cca3e0ed3a00280b25067
                                                                                                                                                                                                                                                                        • Instruction ID: a973a3174ea7ed81a53222eb974502b6676cd5389c35db783d644f1997f3d75b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8b3b942c9c7be978c687c8190219c3908ac997b2f3cca3e0ed3a00280b25067
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F212532E0C6498FF769D66CE8561F8B7E2FF95350B1441BFC04AC7592EE24A846C782
                                                                                                                                                                                                                                                                        Function 00007FF8869F2E38 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8d4b62269b84642f9174d0e9915f9d1258934a7153756fc50a6def560abb0e2e
                                                                                                                                                                                                                                                                        • Instruction ID: 0eb3062cd383381f026f883f3ba83ee0a09acedf629d936800ff54d21b729080
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d4b62269b84642f9174d0e9915f9d1258934a7153756fc50a6def560abb0e2e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A21BD3290CAC99FEB95EB68EC5A2F9BBA0FF55350F1500BAD408C71D6CA24AC45C741
                                                                                                                                                                                                                                                                        Function 00007FF8869F4F67 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 564af4014300a493f353490fda4d849ee4b66b96c7a454e7e15dbfe3454f973f
                                                                                                                                                                                                                                                                        • Instruction ID: 9eb655b80f281fbe552be03af7f8fe2766ba257d0ce635b3fdf9532b3208a41b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 564af4014300a493f353490fda4d849ee4b66b96c7a454e7e15dbfe3454f973f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0121592091EA8A8FE795EB68DC6D6B9BBA0FF06380F4104B9D00D971D3CE686841CB41
                                                                                                                                                                                                                                                                        Function 00007FF886B701E0 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638205102.00007FF886B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B70000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886b70000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 10977fda787c30321bc4050d28706b1c0ac3e89550a4e1be7f3cc7f82b3165d3
                                                                                                                                                                                                                                                                        • Instruction ID: c0684e5aabad979f99d45897fb4ef5acdb9fbf7164a1ab6836d8e39c33eb8a47
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10977fda787c30321bc4050d28706b1c0ac3e89550a4e1be7f3cc7f82b3165d3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0721AF72C4CA8D8FEB95DB6888996E97FE0FF69254F0841BBD448C7092DA345946C780
                                                                                                                                                                                                                                                                        Function 00007FF8869F89A5 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 97fe4cbccc22c48799c6bf579db35b39d04eef0062965155b38da7a503181592
                                                                                                                                                                                                                                                                        • Instruction ID: 6ff88407c8ae5d43abb3b752dd15d1a5d9fed632753659e9b3a0570e1cf4858b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 97fe4cbccc22c48799c6bf579db35b39d04eef0062965155b38da7a503181592
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2421B530C0D68E8FE7A49A24D848AE8BBF0FF46360F5602B9D45C9B1D1DB35AD86C750
                                                                                                                                                                                                                                                                        Function 00007FF886C08C9C Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5011339b14a35303fea527b760cd48683273fafc81d29e85d37510e37ddca67c
                                                                                                                                                                                                                                                                        • Instruction ID: 80b0c5971349bbc1539decc1774e867ad679548d8054b0ddfe9dfba5a5c7a81e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5011339b14a35303fea527b760cd48683273fafc81d29e85d37510e37ddca67c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C213532D09A9E5FDB55DA68D8156FDBBF1FF06350F0402BAD049D7292CB345845C782
                                                                                                                                                                                                                                                                        Function 00007FF886C0E258 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ef4e3e7f9af30f585fa203518076efdcbe5833fec83cda1a9199d887915f8d3a
                                                                                                                                                                                                                                                                        • Instruction ID: 55edb0294dff580c4638e3da819176ab25eefa48b81cae713d9a18d9c304a623
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef4e3e7f9af30f585fa203518076efdcbe5833fec83cda1a9199d887915f8d3a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A21D031E09A884FDB919B2898A92ED7FA1FF5E350B0500BBD408D31A2DA185C05C352
                                                                                                                                                                                                                                                                        Function 00007FF886C021FA Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 00faee4e2b833af4823e6ffae2b815235bbb192a35eb2c4eb5808a8db9652f86
                                                                                                                                                                                                                                                                        • Instruction ID: 50ad4fb17a9f6afe2cd635fd9426df1c09478ce4b47028427db8b8368796b88c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00faee4e2b833af4823e6ffae2b815235bbb192a35eb2c4eb5808a8db9652f86
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22212931D2DA5E4FEB65A69CA44A9B977E1FF547A0F0001BAD009C7192DF29AC42C2C2
                                                                                                                                                                                                                                                                        Function 00007FF886A060D1 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bb90a0337923647dcda2598b910b438fc0759a5ba04a0b0e1d723059759b4e25
                                                                                                                                                                                                                                                                        • Instruction ID: 6d8d09d19768c742ada1b38d007d397e5a340613ce117458815cba0926f0d564
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb90a0337923647dcda2598b910b438fc0759a5ba04a0b0e1d723059759b4e25
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C11C422F1D9898FE3D595692CAA5682AC5FB5564870901FAE44CC72A3DD108C458292
                                                                                                                                                                                                                                                                        Function 00007FF886A05E20 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 107e9047fb596c375cf276e02c5bfe1a142ae59e5033fb2a7d857b6c5ab9ff3c
                                                                                                                                                                                                                                                                        • Instruction ID: 1f786ccfd201749de5a6a05db2b46e869e4c3f5caac7d761fa4a21f4d0fb3f97
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 107e9047fb596c375cf276e02c5bfe1a142ae59e5033fb2a7d857b6c5ab9ff3c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64110432B19C0A4FBAD9E11CA49527663D2FBD92A5714013BD44EC3298DD1ADC438782
                                                                                                                                                                                                                                                                        Function 00007FF886C00C73 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3108d10d3c76a33382ede7d8a5dbb006756354b1dc9b58230f01e1c965e87119
                                                                                                                                                                                                                                                                        • Instruction ID: 0b208ae8fc1458343c5b7351932ca3459de7a30285fbec66b9a6eec72403cfbc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3108d10d3c76a33382ede7d8a5dbb006756354b1dc9b58230f01e1c965e87119
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9021A131A1CA8A8FDB98EF48D000BB5B7E1FF54350F01457AD48AC3282DE28F885C742
                                                                                                                                                                                                                                                                        Function 00007FF886A060F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a8916c0b37e936b6a2da6111f8c3e8e821329f375c8e2883cf20fdfd909fe354
                                                                                                                                                                                                                                                                        • Instruction ID: b7effb9002d032efeb8c3d37d2274e634b36019fe1a5abd235788417bc1181f1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a8916c0b37e936b6a2da6111f8c3e8e821329f375c8e2883cf20fdfd909fe354
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6112532F1DC494FE2D8946D3C965792AC5EB98A58B0501BBE80CC3356DC118C81C292
                                                                                                                                                                                                                                                                        Function 00007FF886A07136 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0d3d62db63890eb326b78bdd92df42acab45021d187ea62e0c9a328b1e735ce1
                                                                                                                                                                                                                                                                        • Instruction ID: 21706473ff33b4d4c1f7d307ed8a5510d363a82442b5313ff40a0caf4719101e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d3d62db63890eb326b78bdd92df42acab45021d187ea62e0c9a328b1e735ce1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8411AF7050CB889FE3699F28C81D7A67BE0FBA9311F04456ED48CC32A2EE30A801C752
                                                                                                                                                                                                                                                                        Function 00007FF886A05312 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2e8450ea96bf18bf5152be622dfc37188baaa0c2240acadd66607549b8f19ba4
                                                                                                                                                                                                                                                                        • Instruction ID: 194dc7b575846e8d02088be6f0ae06b39dcab1dd50701b98a44a78fb4f32f8ec
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e8450ea96bf18bf5152be622dfc37188baaa0c2240acadd66607549b8f19ba4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64117322F0DE4ACFEAADD91CA0A52B4A3D1FB9C650714457AD00EC7185DD11BC068742
                                                                                                                                                                                                                                                                        Function 00007FF886A4ED30 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 226a7a72876a0990ba508e440d6d07d3626c71301957d618cb7d775eb4af7951
                                                                                                                                                                                                                                                                        • Instruction ID: 1bce349edc15e6710b06725782466bcb92a43a7a702dddc1a3c67f1b4a65a4e0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 226a7a72876a0990ba508e440d6d07d3626c71301957d618cb7d775eb4af7951
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A118230708C198FE6A4EB2CD859A7A37D2FF98750B514579E04EC7292DE25AC81C781
                                                                                                                                                                                                                                                                        Function 00007FF8869FCEAE Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5901dbc39439829c18ec383645b56c0cdc08211a7d84ffffb8fb5e0849d70221
                                                                                                                                                                                                                                                                        • Instruction ID: 18102f9376a5611d3e1d76cf076b46138380a8e9721977b8d9ff6edd1c3c4da5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5901dbc39439829c18ec383645b56c0cdc08211a7d84ffffb8fb5e0849d70221
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF111E31B5C9599FDA98EB5CE85A66D77E1FF98751B0141AAE00DC3296CE20AC02C7C1
                                                                                                                                                                                                                                                                        Function 00007FF886C10AC5 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b50c6b1cf0bf560341a69442971cad3dd5fe585667bc232fe83f4da9b45f2c1c
                                                                                                                                                                                                                                                                        • Instruction ID: 16e233ced2d27c53ddb7d9cd8e940802dbeec171324f64b31a0cd68b4f586beb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b50c6b1cf0bf560341a69442971cad3dd5fe585667bc232fe83f4da9b45f2c1c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0101F730608E1D8FCFA4EA2DC494EB433E1FB1931530500D6D44ACB2A2DA28ECC6C790
                                                                                                                                                                                                                                                                        Function 00007FF8869FBE30 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 53e04fd41dae4ddb70f660080fc31ed595fe4632aa439f30efae09351cc3505c
                                                                                                                                                                                                                                                                        • Instruction ID: ae071af672e1a54f6c5ebd96264cee1f63a1a987cb5bc40f5e3ad72463281c4a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53e04fd41dae4ddb70f660080fc31ed595fe4632aa439f30efae09351cc3505c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B010822E18D964BE295EA1C989C3F963D2FBB8780F0401BBC00EC31D6DD285C4687D0
                                                                                                                                                                                                                                                                        Function 00007FF8869FD965 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ad1aa0037a6bd48793b40e1de4c4ee73a2d58f4391498098c0403f47acda5217
                                                                                                                                                                                                                                                                        • Instruction ID: a0602e5076f3ee56442d7a4eceea5b9c959d446389185d59ab6faab17469b5ab
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad1aa0037a6bd48793b40e1de4c4ee73a2d58f4391498098c0403f47acda5217
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40114C7050E7C44FD3079B288C68951BFB0EF5725174946EFD488CB1E3CA29984AC752
                                                                                                                                                                                                                                                                        Function 00007FF8869F9D55 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b05b27504f48af3a97897d8c738b7eb498d1fd012a5ea7f3978fc49499cddae1
                                                                                                                                                                                                                                                                        • Instruction ID: 0433edaac0948221aeceacf2b01da8054bd0ade1cd44fae963b984313f2c4d8c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b05b27504f48af3a97897d8c738b7eb498d1fd012a5ea7f3978fc49499cddae1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7311921261DAD61FD362937C18AB2EA7FF49F4A100B0904EAC4D88B1E7D84DAC07D382
                                                                                                                                                                                                                                                                        Function 00007FF8869F748A Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 431d6abbf428e61ae32d4a85bee39ca90649fb6aa92e14c3ab88728de3837014
                                                                                                                                                                                                                                                                        • Instruction ID: bcd23dad04036aae5790806acf5157845a91ea213da8a0a3df5c90742ed5bc42
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 431d6abbf428e61ae32d4a85bee39ca90649fb6aa92e14c3ab88728de3837014
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC11B031E08A5D8EDB98DF98D8986ACB7B2FF59350F5111BAC00DE7282CA306981CB00
                                                                                                                                                                                                                                                                        Function 00007FF8869F4DCF Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 44603a38f0d37d1ca26d78888909106599ea751c3f878fd69f91311fd3763b49
                                                                                                                                                                                                                                                                        • Instruction ID: 2b87a5818a740c6df8e752b74c6a652ce301cb4473efc693142fc59cc28eba73
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44603a38f0d37d1ca26d78888909106599ea751c3f878fd69f91311fd3763b49
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8112430D0955A9FEB94DB68D899BA9B7B1FF45750F1041B9C04DE7292CE396C82CB01
                                                                                                                                                                                                                                                                        Function 00007FF8869FA650 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1904a306d09b27583dc4f5c994cc338744636c6d7b338839ceeb520bf0cf610b
                                                                                                                                                                                                                                                                        • Instruction ID: 8680453cfbdcfe44bdc4d308db11b0702907f04f20cb86c27f99c852602830e4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1904a306d09b27583dc4f5c994cc338744636c6d7b338839ceeb520bf0cf610b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB016D31B1884A4FE6D8EA6DA84977633D5FF98370B41027AE50DC7296ED29EC418391
                                                                                                                                                                                                                                                                        Function 00007FF886A08413 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b5a38c2926baa104ad95c1bdac5efd82e7eb92d8ff97cbd0dab2a9ac47a13269
                                                                                                                                                                                                                                                                        • Instruction ID: 1490e3caa16203bb2e979c7ad4936866aed51da07a6a8406c6e71f1e939d5e88
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b5a38c2926baa104ad95c1bdac5efd82e7eb92d8ff97cbd0dab2a9ac47a13269
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E601A432B4CC0C9FEAD8EA1CA496A7033E1FB6D36030405E6D44ECB366DD12EC428745
                                                                                                                                                                                                                                                                        Function 00007FF8869F0C7D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3c132ac7112e5500c6cf5a7a12697de08f649f888309951800820a983f40e55c
                                                                                                                                                                                                                                                                        • Instruction ID: 38ab445740a0f7c3a527db464d4dd4feaa0b017b9145eceed707f2791d47d4b7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c132ac7112e5500c6cf5a7a12697de08f649f888309951800820a983f40e55c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C11CA3550E6C94FD756973498252E97BA1AF41340F0504FFD059EB1D2DA395809C742
                                                                                                                                                                                                                                                                        Function 00007FF886C07744 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a2b31e999d55576a17032ebca85afb3a43d2dec9cfd2c0ebcdee9cbe711da517
                                                                                                                                                                                                                                                                        • Instruction ID: af4d07051e1af6bbcdaa932d76d55381d550a05366e290b4b454cbd9e2c006c5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2b31e999d55576a17032ebca85afb3a43d2dec9cfd2c0ebcdee9cbe711da517
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13F09073F5CA1A4FA69D521C78031F6A3C2EB95BE0744817AC54EC368AEC06AC438192
                                                                                                                                                                                                                                                                        Function 00007FF886A0C765 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 31794c37293ef1fc95862ef02ea63ce1cba157b0ad1b440bbdb8fbf5dde3ce60
                                                                                                                                                                                                                                                                        • Instruction ID: 3917484a763dd960d28198e5b3510db01a50d7d0435278c11fdafbf4680fe49b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 31794c37293ef1fc95862ef02ea63ce1cba157b0ad1b440bbdb8fbf5dde3ce60
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC01A221A1C9494FE384E61C94AA3B5B7D1FF99755B5800BAD40DCB2E6DE1A9C41C342
                                                                                                                                                                                                                                                                        Function 00007FF886A079B1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c6624beef88359258a46ebd97f10dfc608f3a56b2806dc462d11e5df05d967d6
                                                                                                                                                                                                                                                                        • Instruction ID: 7afe46721c34bb78ea56368200af22b46c3dc950bb58a497e0b97a7f5dff031a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c6624beef88359258a46ebd97f10dfc608f3a56b2806dc462d11e5df05d967d6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9F0E022B0D5980FE794952CAC5D9723FD4EB6627131501FFE548C7173E916DC02C355
                                                                                                                                                                                                                                                                        Function 00007FF8869FA0FA Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9b41a185abc4db38d055d11cc54917d114e3f04ab42280e413b229b2694aac56
                                                                                                                                                                                                                                                                        • Instruction ID: 05593531443cac0a8d1c2b73bb06f86e8c45cb9c86a870761e5cba9f8493fa18
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9b41a185abc4db38d055d11cc54917d114e3f04ab42280e413b229b2694aac56
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2016831E086C9AFE7559B288C6D1F57FE0FF55250F0500BAC49DC70D2DD102915C742
                                                                                                                                                                                                                                                                        Function 00007FF886C03AC4 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8157ba1dc85755894f53a8ac0992b860c9fa6fbb544e44336cb7b4d3dad7fee1
                                                                                                                                                                                                                                                                        • Instruction ID: 533d4e39e5b519f12e977aa8b6028ab897369dbfddeb0c9de2c45ecbcd610932
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8157ba1dc85755894f53a8ac0992b860c9fa6fbb544e44336cb7b4d3dad7fee1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF016231F1891E4FDB98E65CA455BA873D2FB883A0F1441B6D00DD7295DE28AC458781
                                                                                                                                                                                                                                                                        Function 00007FF8869FAE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a39d8c63b5ed8672db2356b6f745ed3b86e512116e0d8c86594eb8732f1816a0
                                                                                                                                                                                                                                                                        • Instruction ID: bfe47af4e3bbe8b2ef82fc49c2cb66d7983a2d66c7c9b2ee40abfe037073eee4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a39d8c63b5ed8672db2356b6f745ed3b86e512116e0d8c86594eb8732f1816a0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD01D620A24E4B8FDA98EB2CD4946B6B3D1FF983507444579D04DC72C9DE28EC41C781
                                                                                                                                                                                                                                                                        Function 00007FF8869FCCB7 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c2886b4f12126ede393174105d55dc45f196a3a17d2c3977340e97fbe1ea8473
                                                                                                                                                                                                                                                                        • Instruction ID: 1c893dc7b63b88599cc784a59ddab8ddcf360965fed2e98dac74616999842a5f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c2886b4f12126ede393174105d55dc45f196a3a17d2c3977340e97fbe1ea8473
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F001F521528F868AD354E338A8087E6B6D1FF84304F414479C08EC72C2EEA87848C341
                                                                                                                                                                                                                                                                        Function 00007FF8869F9CE0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8e949c62c0e19b3f67688e7f8e6aeac2078e27c0e837c5ae07e3cc5f1d397603
                                                                                                                                                                                                                                                                        • Instruction ID: cf12b41d9dfcf0a77ce1f258abdcd719a2e3fccc735a4c28c91f887921683066
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e949c62c0e19b3f67688e7f8e6aeac2078e27c0e837c5ae07e3cc5f1d397603
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55012602B1DAA60FE326F26DFDA61D4BB90EF822A070840B7D148CA1D3DC0869858291
                                                                                                                                                                                                                                                                        Function 00007FF8869FBF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 59f61dc7e00cd39c337c82af2ea6cf099ed969734e8db860f57022cc9fefffb6
                                                                                                                                                                                                                                                                        • Instruction ID: 5e2e398089009f3f9f2cd165977367d007b91797e375698da6130f5ddf7c9b53
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 59f61dc7e00cd39c337c82af2ea6cf099ed969734e8db860f57022cc9fefffb6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37018631A28D4B4FD699FB2894646B6B3E2FFA8340B44857AD04DC7289DE28ED418752
                                                                                                                                                                                                                                                                        Function 00007FF8869F4B89 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7d33fb591af975a865f10a805c3f41e1d99b8b83dd2581f6eb8108665a222083
                                                                                                                                                                                                                                                                        • Instruction ID: 246b95edfee062098e898d9e1c7ffd7ad751df7dbfac69203fd6f0f819c8d5a1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d33fb591af975a865f10a805c3f41e1d99b8b83dd2581f6eb8108665a222083
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1101262080C3C95FE342A7788C692ED7FB0EF0A201F0504F7D049C70E3DA281908C342
                                                                                                                                                                                                                                                                        Function 00007FF8869FAF99 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c67d3a22887dfa064b710e25b8c0ce4874efdaa683fc4babfd883de63dc766f2
                                                                                                                                                                                                                                                                        • Instruction ID: 7a16d6d3470af59203cf80f7391261e017f48c0c7980a6856d2f7f785a03684a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c67d3a22887dfa064b710e25b8c0ce4874efdaa683fc4babfd883de63dc766f2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2901DC708187CE8FDB82EF6888681E97FF0FF59200B0405ABD898CB1A2DE795914C341
                                                                                                                                                                                                                                                                        Function 00007FF886A09763 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 568316bba29bc6f6552fe16c09c940079059aad176fee4ad2e3b936305e3a0b7
                                                                                                                                                                                                                                                                        • Instruction ID: fc30ad59e2874e3eb6635238d43bcedae00e919d01d90e8b2ae58a81247f45e8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 568316bba29bc6f6552fe16c09c940079059aad176fee4ad2e3b936305e3a0b7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9801AF31609A8C8FE7A5DA28D49D7B9B7E1FF89341F9401B9D04DDB2A1CB38AC44C701
                                                                                                                                                                                                                                                                        Function 00007FF886A04121 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 22dab458ce84635c3f370da149acf9a0a25b78cde663500d6f1d8f53cb391fec
                                                                                                                                                                                                                                                                        • Instruction ID: 9cc66460dcb12f1acedc1624e0912efeb95b40eaf4e9471f870c241b51bd81d1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22dab458ce84635c3f370da149acf9a0a25b78cde663500d6f1d8f53cb391fec
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11F0F072908BC99FE7668A3894627E17BA0FF96240F0002B7D04DD7183EE281D1ACB91
                                                                                                                                                                                                                                                                        Function 00007FF8869F4B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6963530521468aecc82edf5647dadaac2ae89f3bb85be389d624d4f465c6eedf
                                                                                                                                                                                                                                                                        • Instruction ID: 54fe7b48fd355244d215994b65aca2f51bf38f9536c38952bf67a74ad87328a5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6963530521468aecc82edf5647dadaac2ae89f3bb85be389d624d4f465c6eedf
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2001FD3080968D8FDB84EF24C8552E93BA1FF46300F0204BAE40CC32C2CA39E961C781
                                                                                                                                                                                                                                                                        Function 00007FF886A00B02 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5c30756744f87b76a76c83261cd4e4ded48418102caedbe1467de44947c76917
                                                                                                                                                                                                                                                                        • Instruction ID: cff3c6faacbdc718cc27e11d97623da147a329b28b07097cca6a173800e37ffb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c30756744f87b76a76c83261cd4e4ded48418102caedbe1467de44947c76917
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05F0C82150DACA4FE366973C94595A0BBE0FF46350F4D01F6D488CB1D7D91DAC85C392
                                                                                                                                                                                                                                                                        Function 00007FF886A02DE5 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 567f28959b0494d1f0b102a1e646b9b4ea52f276dd0d0f2fd134bda78ce82c14
                                                                                                                                                                                                                                                                        • Instruction ID: 2cd0672c88247630b94b4a8363ca6d2e2a770e05c4fd2ad7b1b69ad8dde59748
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 567f28959b0494d1f0b102a1e646b9b4ea52f276dd0d0f2fd134bda78ce82c14
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BEF0A731A19D5D8BD994A628605ABFA23E2FB99750F54043AD44FC21C6DD586C82D342
                                                                                                                                                                                                                                                                        Function 00007FF8869F3E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e3ecdebd3c1e19c0118a81d4686961b1804b16fc1ba779c1785380eb86b86a48
                                                                                                                                                                                                                                                                        • Instruction ID: 23c53e7256b845fb56b19b56f98e3f7b17ae70f519a8d1476ed677ccaeca4661
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3ecdebd3c1e19c0118a81d4686961b1804b16fc1ba779c1785380eb86b86a48
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1F08530C0864C8BD720AE69E4083F9F7B8FF4A349F41217AD00CA2280C37A99A5CB58
                                                                                                                                                                                                                                                                        Function 00007FF886A04F25 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 987c055bbe87f91083680ada9bf269400085a98dce0bdb2852320f5a9d1c1b59
                                                                                                                                                                                                                                                                        • Instruction ID: 50a015330d3a8431b69c1e500c4064f6b825c13b3dffa2a76d241c9d62fffe67
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 987c055bbe87f91083680ada9bf269400085a98dce0bdb2852320f5a9d1c1b59
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43F0E931919E4B8FD355D72C84466A477D0FF08750B4802BAD448C7297EE19EC91C781
                                                                                                                                                                                                                                                                        Function 00007FF8869F5038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9a9c35ab1a06772d90e441f33dca8001199b5c4bffe6ee708b0094d045d11f91
                                                                                                                                                                                                                                                                        • Instruction ID: 01618d964dee2a9cd5c0232f35d7e602e4976b6aabcf38e9cafb41ffea2eff81
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a9c35ab1a06772d90e441f33dca8001199b5c4bffe6ee708b0094d045d11f91
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5F01D31E0492E8EDBA4DA58D8517F8B371FF95351F1045B6D05DE3181CE35AC558B41
                                                                                                                                                                                                                                                                        Function 00007FF8869F8691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1db8b48bd115f771f2c7d1fa60c9353dfc07626a54c30a4998a6e152c076aee9
                                                                                                                                                                                                                                                                        • Instruction ID: d043202c6b477dcb39e159a20eeb4a78061911c4d2ecec64be3d1c650277012b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1db8b48bd115f771f2c7d1fa60c9353dfc07626a54c30a4998a6e152c076aee9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BBF03031C5560D8FC7549E55E8483FDB6B4FF4B246F412539E00CA6181D7BA9A94CB44
                                                                                                                                                                                                                                                                        Function 00007FF886C0B6A1 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2638892210.00007FF886C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C00000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff886c00000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: befe94a1243b4014ff42d70f2576175aa224a53204f1dd78955dde1e2426d962
                                                                                                                                                                                                                                                                        • Instruction ID: f86c803aa1d57585fb91737c9eadca264fb01e41e664afc844b25415f3672fcb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: befe94a1243b4014ff42d70f2576175aa224a53204f1dd78955dde1e2426d962
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60F09C3191DA938FD356D738487A16D3FE1AF05750B1404FEC45AC71E2CD2E5802CB06
                                                                                                                                                                                                                                                                        Function 00007FF886A08FB4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 686e199a9ad90d32cf417ae284bab5aa2102e3cc58df37973c9faaf05f51ee21
                                                                                                                                                                                                                                                                        • Instruction ID: 5537ead8e5599f99479d1d0c27b80b02e2ca24aa6ead2fa19797fa1c0a2d964a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 686e199a9ad90d32cf417ae284bab5aa2102e3cc58df37973c9faaf05f51ee21
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42F0B43160DA89CFD7A4CA1CE4C5B65B7E2FF95310F8801A8C04CD7256CA35EC49C785
                                                                                                                                                                                                                                                                        Function 00007FF8869F80DD Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 01ca71326f903bf3a13710da64f874d3ecd34f2aa2368d34e61f9dbf268c2be6
                                                                                                                                                                                                                                                                        • Instruction ID: a07c21c3d0014fd6ffbbd527bbc955723d85b9c5d184ab4621de2d82072b6d7a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01ca71326f903bf3a13710da64f874d3ecd34f2aa2368d34e61f9dbf268c2be6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2F05470948A9D4ED7A5AA2888193FA76A0EF45300F0109FF901DE72D2DF395984C681
                                                                                                                                                                                                                                                                        Function 00007FF8869FA0A5 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b6e78b637308265f042aac8a77b052b8bd951b110fdd8a1f9eb4c4e4381aeacc
                                                                                                                                                                                                                                                                        • Instruction ID: cb820155516ec18ee9adef0f673866e23b1ccc502e16aa41197fa68a0c63aa54
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6e78b637308265f042aac8a77b052b8bd951b110fdd8a1f9eb4c4e4381aeacc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FEE06831A152965BC752A7E8BC296FBBBA0DF42760B0004FFC5ADCB443DD142121C7A3
                                                                                                                                                                                                                                                                        Function 00007FF8869FBC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 37c78402f67e3072dc0e3113117d7909495657a6444e00b934239ecf40d7506c
                                                                                                                                                                                                                                                                        • Instruction ID: aa687b280f90fc4ae865a8428ca67cd82e12fed8af3b77c0a9abd8db698e6390
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37c78402f67e3072dc0e3113117d7909495657a6444e00b934239ecf40d7506c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1FF05475D2464A9BEB45EB9CD895EAC77F2FF98B50F810030D04DD3292CE296C41CB11
                                                                                                                                                                                                                                                                        Function 00007FF8869FA0A8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7b57c77701a60417cbb53cd57ddfc87a7e4e61b476d3df5ca00b7c320e589c80
                                                                                                                                                                                                                                                                        • Instruction ID: 007f523e87148e92496c053170866db32d058bf9a5716bac64c346f4f051e2bd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b57c77701a60417cbb53cd57ddfc87a7e4e61b476d3df5ca00b7c320e589c80
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53E0D871A192965BD716A7E478356FBBBA0DF017A0B1404FFD4ADCB493ED1821208793
                                                                                                                                                                                                                                                                        Function 00007FF8869F8075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ac856da4f2111df615d6b93361e451f41cdcfce79b23bd4b5189d388c284b025
                                                                                                                                                                                                                                                                        • Instruction ID: c0d5a6a4816b5d3720d9c1eed96d7d4a12b207af603e45ba5b157fa3f4b40dff
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac856da4f2111df615d6b93361e451f41cdcfce79b23bd4b5189d388c284b025
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEE0E535E0481E8ECB54EBA8E4917ECB7B1FF44251F4000BAD00CE3242CE396D818B01
                                                                                                                                                                                                                                                                        Function 00007FF886A04190 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f7fe349daa8892c5f9f9506bde898757eac0152c9f92abf9a64fdd72eb60764e
                                                                                                                                                                                                                                                                        • Instruction ID: 1322a5e3e1b9846400ff4a677d0c53fd4ae411d68faf809792dc001a76fc8116
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7fe349daa8892c5f9f9506bde898757eac0152c9f92abf9a64fdd72eb60764e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7FE09A30D189198FE768DA6898557AC63B1FB54754F10057AD00DE3292CE3458428B01
                                                                                                                                                                                                                                                                        Function 00007FF886A0EE10 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 21d44e45b0b48628538924e1b1ea51b1f233f80e654607234855d16f4f712c94
                                                                                                                                                                                                                                                                        • Instruction ID: ac3cd91dd4bb7744e241369ef31a5d66672e186ac34395e4c8236c0d87b2a8b8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21d44e45b0b48628538924e1b1ea51b1f233f80e654607234855d16f4f712c94
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2E0B65051E6DA6FEA92B77C499B09A7FB06E4B180B0944D9D49A9F0E3E609580EC342
                                                                                                                                                                                                                                                                        Function 00007FF886A02993 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fb95cd867c25a641ca60b5432394ca1191a152b07e9f20b161150c57073e88b0
                                                                                                                                                                                                                                                                        • Instruction ID: 787c03e7b49c16649be696c78c7aae91cd73e1872f4ffaa6274132485b25b948
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb95cd867c25a641ca60b5432394ca1191a152b07e9f20b161150c57073e88b0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89D05E3010D2414FCB58AA69A080C80B790EF1221475509E8E0144B1A3C52AEC82CB01
                                                                                                                                                                                                                                                                        Function 00007FF886A0AF87 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 281020efe2db116079ad610cf9c480e72463fae330677c3dd5810266e82d021d
                                                                                                                                                                                                                                                                        • Instruction ID: bb90fb00b1680ea0f9ef6b7430ea2bbd1fde08658b1897ba914aede648cbce01
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 281020efe2db116079ad610cf9c480e72463fae330677c3dd5810266e82d021d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5C08C3084E14ACFD701AE20A4538F47368AF47240F1860B5E60E8B4A3CD256D25C303
                                                                                                                                                                                                                                                                        Function 00007FF8869F5D2A Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5d193281a320317fa69ca40e00bd8e877ec974365cfffd3f3e6ad93aa8e806fd
                                                                                                                                                                                                                                                                        • Instruction ID: f931b257f623cbd7fe98b57b363024406626eb02c47fafe460ea8a2c9f2c73a6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d193281a320317fa69ca40e00bd8e877ec974365cfffd3f3e6ad93aa8e806fd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15C09B71D09D5D8FF7D5DA5C988C2EC7BF1FF64654B404115C00CE3145DE2058018740
                                                                                                                                                                                                                                                                        Function 00007FF8869F81AE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000E.00000002.2636433011.00007FF8869F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8869F0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_14_2_7ff8869f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fd7983c2420a32ef4c527f83d34f68efeeb647eafff768b0897beb8aa570eb74
                                                                                                                                                                                                                                                                        • Instruction ID: e5510970fe9f9e5ff02a969d1508592c914431dd60a4b7cf1c23376920f29486
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd7983c2420a32ef4c527f83d34f68efeeb647eafff768b0897beb8aa570eb74
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DFC09B6064959D5FD393DB7D1C7D79A7FF04F15001B0804DF449DDB1E2D62454478745