Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e0#U05ea.msi

Overview

General Information

Sample name:e0#U05ea.msi
renamed because original name is a hash value
Original sample name: .msi
Analysis ID:1561807
MD5:37d7404f46d43eac22991c947cc7b1f0
SHA1:abcc8525564e8264b539d685e826f957c12ef70d
SHA256:06ffaabe4a1829177f078d1e6ad6bbc6af79d16729abcc8a21e4ec854448bb3d
Tags:msiuser-JAMESWT_MHT
Infos:

Detection

AteraAgent
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7616 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\e0#U05ea.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7704 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7788 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2C828FCE33DD8E11A4DB652C16749A7F MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7844 cmdline: rundll32.exe "C:\Windows\Installer\MSI7358.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4158531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7908 cmdline: rundll32.exe "C:\Windows\Installer\MSI7984.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4159906 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 8012 cmdline: rundll32.exe "C:\Windows\Installer\MSI9172.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4166015 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 3292 cmdline: rundll32.exe "C:\Windows\Installer\MSIB318.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4174625 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 8092 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 383888C60FE94E71DA4676E44D32717F E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 8124 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 8172 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 1424 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 5992 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="pjt145.chef@elbayrak.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O3Ui7IAF" /AgentId="883f7d62-963d-4a4e-aadf-4ee8e577d238" MD5: 477293F80461713D51A98A24023D45E8)
  • AteraAgent.exe (PID: 5828 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7840 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 1744 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "eb7ae0f0-01c0-4bb5-a03a-e6b63b26697d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 3996 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "bc5dfe9b-e2bb-4515-b3e1-7877603aa96e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 3152 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "16904213-f096-40ec-9bf1-11c4695deea3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\~DF6A4DE52DC2399F9D.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Config.Msi\3f7202.rbsJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 14 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000D.00000002.1463826207.0000017A800B4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000000D.00000002.1468342329.00007FF7BFD24000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000001A.00000002.2542392048.000002917AA98000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000017.00000002.2159293412.0000020BD2632000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 87 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      13.0.AteraAgent.exe.17ae7570000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        19.2.AgentPackageAgentInformation.exe.171da1b0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          19.0.AgentPackageAgentInformation.exe.171c11b0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            19.0.AgentPackageAgentInformation.exe.171c11b0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                              Sigma Signatures

                              Sigma detected: Net.exe Execution
                              Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 383888C60FE94E71DA4676E44D32717F E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 8092, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 8124, ProcessName: net.exe
                              Sigma detected: Stop Windows Service Via Net.EXE
                              Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 383888C60FE94E71DA4676E44D32717F E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 8092, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 8124, ProcessName: net.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-11-24T11:15:51.050611+010028033053Unknown Traffic192.168.2.104977613.232.67.198443TCP
                              2024-11-24T11:16:35.984255+010028033053Unknown Traffic192.168.2.104988313.232.67.198443TCP
                              2024-11-24T11:16:47.004689+010028033053Unknown Traffic192.168.2.104991413.232.67.198443TCP
                              2024-11-24T11:16:54.207757+010028033053Unknown Traffic192.168.2.104993513.232.67.198443TCP
                              2024-11-24T11:17:00.277308+010028033053Unknown Traffic192.168.2.104995613.232.67.198443TCP
                              2024-11-24T11:17:03.728861+010028033053Unknown Traffic192.168.2.104997013.232.67.198443TCP
                              2024-11-24T11:17:09.629152+010028033053Unknown Traffic192.168.2.104999313.232.67.198443TCP
                              2024-11-24T11:17:16.645622+010028033053Unknown Traffic192.168.2.105002713.232.67.198443TCP
                              2024-11-24T11:17:22.433110+010028033053Unknown Traffic192.168.2.105004913.232.67.198443TCP
                              2024-11-24T11:17:28.077033+010028033053Unknown Traffic192.168.2.105007213.232.67.198443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                              Multi AV Scanner detection for submitted file
                              Source: e0#U05ea.msiReversingLabs: Detection: 31%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.4% probability
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49750 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49751 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49761 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49762 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.93:443 -> 192.168.2.10:49778 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49935 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49936 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49955 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49957 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49956 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49966 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49970 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49974 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49977 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:50014 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:50021 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:50049 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:50081 version: TLS 1.2
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb" source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1526994106.000000000368A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.000000000368B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\System.pdbCD: source: rundll32.exe, 00000012.00000002.1531145906.0000000007B63000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1405684872.0000017AE7572000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1383101279.00000000070A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1707018026.00000171DA1B2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1380713387.0000000002557000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527431542.0000000003277000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000012.00000003.1527063128.0000000003614000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.0000000003614000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb]o source: rundll32.exe, 00000012.00000002.1527641291.000000000369C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1526994106.000000000369C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdbu source: rundll32.exe, 00000012.00000003.1526994106.000000000368A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.000000000368B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381082827.0000000002A88000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
                              Source: Binary string: \??\C:\Windows\System.pdbJ source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbz source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1405684872.0000017AE7572000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.pdb0) source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381082827.0000000002A88000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nC:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.pdb] source: rundll32.exe, 00000005.00000002.1380713387.0000000002557000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\System.pdbC source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000F.00000002.2555001444.0000019FB24E2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000F.00000002.2555001444.0000019FB24E2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2552512091.0000019FB1ED2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbNM source: rundll32.exe, 00000005.00000002.1383101279.0000000007070000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nC:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.pdb9 source: rundll32.exe, 00000012.00000002.1527431542.0000000003277000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000013.00000000.1667258499.00000171C11B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1383101279.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1527063128.0000000003663000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1707258744.00000171DA262000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.15.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2552512091.0000019FB1ED2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1707258744.00000171DA262000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: e0#U05ea.msi, MSI9422.tmp.2.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, MSI9433.tmp.2.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.dr
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1707018026.00000171DA1B2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1383101279.0000000007070000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1383101279.00000000070A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbtion source: rundll32.exe, 00000012.00000003.1527063128.0000000003671000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.0000000003671000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdbU source: rundll32.exe, 00000005.00000002.1383251568.00000000070AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380430941.00000000070AD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1466692024.0000017AE9342000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1466692024.0000017AE9342000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000003.1527063128.0000000003614000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.0000000003614000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: e0#U05ea.msi, 3f7203.msi.2.dr, MSI9172.tmp.2.dr, MSI7984.tmp.2.dr, MSIB318.tmp.2.dr, MSI7358.tmp.2.dr, 3f7201.msi.2.dr
                              Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdbNF source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbFg source: rundll32.exe, 00000012.00000002.1527641291.000000000369C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1526994106.000000000369C000.00000004.00000020.00020000.00000000.sdmp
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: c:
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC91873h13_2_00007FF7BFC9184E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC91A44h13_2_00007FF7BFC9184E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC91FFFh13_2_00007FF7BFC91EB6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC91FFFh13_2_00007FF7BFC91EA1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC91FFFh13_2_00007FF7BFC91E7E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC91873h13_2_00007FF7BFC90C1D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC91A44h13_2_00007FF7BFC90C1D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC91FFFh13_2_00007FF7BFC90C1D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC9227Bh13_2_00007FF7BFC90C1D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC94ECBh15_2_00007FF7BFC94E6B
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7BFC9227Bh15_2_00007FF7BFC92256

                              Networking

                              barindex
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.171c11b0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=484b7669-faad-46fb-95da-3f494fe71338&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=828d2fae-bb40-4bf1-b7d4-c9f95f35880c&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5e281e32-d56c-48ee-a94d-f7f921f64993&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de3a19ac-393b-475a-b5ce-07c61aa216d9&tr=31&tt=17324433440133815&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?MXEuqxTtBtfd+dFjSfn8PupuPxKD+CNuASOYt6ySpA3SYMBPBbjiPgfcFSHiAA/v HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9dbdf105-b22b-42a8-a293-ef3c50c5b89f&tr=31&tt=17324433466351848&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0c8fe399-28d9-41a3-bf50-c77a672f47cf&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dc3922f5-35d6-4f94-b311-0484e4bd5995&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=acd435f0-64b6-414e-afe1-15c95d580f8e&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d7638603-5a9e-4a0e-a726-ea2723946dc6&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=128fc0be-bd77-4dce-a0ea-9cf2448b0742&tr=31&tt=17324434035889063&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5951d75d-4aae-498f-8cfe-2d2684bcac30&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c81cc1d6-c362-4d28-bb00-1ffac3b99a1b&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0fdd6a07-21a5-4251-94a9-7ec5786af820&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=37a1639b-3b2d-493d-9681-4ffe4cb9d665&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=88896d23-1ff2-4725-8b62-fd0ae95c45ca&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4e6de541-ebdf-48b4-adc4-f35ddb9ca4eb&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=459726b1-bf54-4233-9c92-512b1a42571f&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d5f0f946-189b-4da5-b329-5fc70e83eabd&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=be904d3c-4208-46ed-ab86-e69008a35a81&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=53a672d4-64e8-41a4-b6a2-cf6f70a93e3a&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=09996451-139e-4d4e-87e9-c03841f30e76&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=90ccbbf8-4ad9-4204-81c2-de1d71cdcfcf&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=dec5ebd3-4793-42cc-bd15-dbc991b93b5c&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8cf06a91-99a7-45cd-a779-b72be96870d7&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e5b922ff-1087-45ae-bfaa-92dac2278cbc&tr=31&tt=17324434221501574&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=459bf948-52b5-4158-a1ed-7acb5a150d74&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=58b95c89-793e-4183-b4ec-622b28949278&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2aed862e-2eee-4460-94f8-67ced20c3e98&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9b35e03f-9217-47fc-883e-376a0acf1a33&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12f3eadc-4137-4969-a630-9caae86b52c8&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ae447775-3f27-4878-8dac-a944634d4b04&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a714345f-6069-463f-b471-b79c49409a31&tr=31&tt=17324434221501574&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49914 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49956 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49776 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49883 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49993 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49970 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49935 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:50072 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:50027 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:50049 -> 13.232.67.198:443
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=484b7669-faad-46fb-95da-3f494fe71338&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=828d2fae-bb40-4bf1-b7d4-c9f95f35880c&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5e281e32-d56c-48ee-a94d-f7f921f64993&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de3a19ac-393b-475a-b5ce-07c61aa216d9&tr=31&tt=17324433440133815&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?MXEuqxTtBtfd+dFjSfn8PupuPxKD+CNuASOYt6ySpA3SYMBPBbjiPgfcFSHiAA/v HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9dbdf105-b22b-42a8-a293-ef3c50c5b89f&tr=31&tt=17324433466351848&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0c8fe399-28d9-41a3-bf50-c77a672f47cf&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dc3922f5-35d6-4f94-b311-0484e4bd5995&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=acd435f0-64b6-414e-afe1-15c95d580f8e&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d7638603-5a9e-4a0e-a726-ea2723946dc6&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=128fc0be-bd77-4dce-a0ea-9cf2448b0742&tr=31&tt=17324434035889063&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5951d75d-4aae-498f-8cfe-2d2684bcac30&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c81cc1d6-c362-4d28-bb00-1ffac3b99a1b&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0fdd6a07-21a5-4251-94a9-7ec5786af820&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=37a1639b-3b2d-493d-9681-4ffe4cb9d665&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=88896d23-1ff2-4725-8b62-fd0ae95c45ca&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4e6de541-ebdf-48b4-adc4-f35ddb9ca4eb&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=459726b1-bf54-4233-9c92-512b1a42571f&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d5f0f946-189b-4da5-b329-5fc70e83eabd&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=be904d3c-4208-46ed-ab86-e69008a35a81&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=53a672d4-64e8-41a4-b6a2-cf6f70a93e3a&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=09996451-139e-4d4e-87e9-c03841f30e76&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=90ccbbf8-4ad9-4204-81c2-de1d71cdcfcf&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=dec5ebd3-4793-42cc-bd15-dbc991b93b5c&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8cf06a91-99a7-45cd-a779-b72be96870d7&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e5b922ff-1087-45ae-bfaa-92dac2278cbc&tr=31&tt=17324434221501574&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=459bf948-52b5-4158-a1ed-7acb5a150d74&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=58b95c89-793e-4183-b4ec-622b28949278&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2aed862e-2eee-4460-94f8-67ced20c3e98&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9b35e03f-9217-47fc-883e-376a0acf1a33&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12f3eadc-4137-4969-a630-9caae86b52c8&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ae447775-3f27-4878-8dac-a944634d4b04&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a714345f-6069-463f-b471-b79c49409a31&tr=31&tt=17324434221501574&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: agent-api.atera.com
                              Source: global trafficDNS traffic detected: DNS query: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: ps.atera.com
                              Source: AteraAgent.exe, 0000000D.00000000.1405684872.0000017AE7572000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.drString found in binary or memory: http://acontrol.atera.com/
                              Source: rundll32.exe, 00000005.00000002.1382344987.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9990D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005145000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1C1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2F3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.0000029162240000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                              Source: rundll32.exe, 00000005.00000002.1382344987.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9990D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005145000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1C1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2F3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.0000029162240000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB2146000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1467332251.0000017AE9E0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553576063.0000019FB216D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2576000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB215D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: F2E248BEDDBB2D85122423C41028BFD40.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1707551998.00000171DA3B1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1707551998.00000171DA38F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2159293412.0000020BD2632000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2161414672.0000020BEB6AA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, C56C4404C4DEF0DC88E5FCD9F09CB2F1.15.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BEB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                              Source: AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com//U
                              Source: AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/?Uo
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1467332251.0000017AE9DF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BAF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB2146000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2520000.00000004.00000020.00020000.00000000.sdmp, 1A374813EDB1A6631387E414D3E732320.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1467332251.0000017AE9E0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553576063.0000019FB216D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2576000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9B7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlN
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlT.=
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crle%
                              Source: AteraAgent.exe, 0000000D.00000002.1467332251.0000017AE9E0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9B7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BEB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2590000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1BD0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, BA74182F76F15A9CF514DEF352303C950.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl5:
                              Source: AteraAgent.exe, 0000000D.00000002.1467332251.0000017AE9DDF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crle
                              Source: AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlj
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crloj
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                              Source: AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB215D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2520000.00000004.00000020.00020000.00000000.sdmp, 329B6147266C1E26CD774EA22B79EC2E0.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB2146000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl$
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1467332251.0000017AE9E0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553576063.0000019FB216D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2576000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl7%
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl8
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlC
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlG
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/l
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl8
                              Source: AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                              Source: AteraAgent.exe, 0000000F.00000002.2553576063.0000019FB2195000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.15.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                              Source: AgentPackageAgentInformation.exe, 00000013.00000000.1667258499.00000171C11B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.drString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                              Source: Newtonsoft.Json.dll.18.drString found in binary or memory: http://james.newtonking.com/projects/json
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB215D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.15.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                              Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
                              Source: AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1467332251.0000017AE9E0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553576063.0000019FB216D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2576000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1707551998.00000171DA38F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2159293412.0000020BD2632000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2161414672.0000020BEB6AA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, C56C4404C4DEF0DC88E5FCD9F09CB2F1.15.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, MSI94B1.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, MSI9433.tmp.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0K
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0N
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Newtonsoft.Json.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB215D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr, 3f7201.msi.2.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9B7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                              Source: AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crla
                              Source: AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                              Source: AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99D2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                              Source: AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                              Source: AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                              Source: rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: http://wixtoolset.org
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drString found in binary or memory: http://wixtoolset.org/releases/
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1467332251.0000017AE9E0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2555203032.0000019FB2576000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 3f7203.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                              Source: AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                              Source: rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                              Source: rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDn
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F999F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99B09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9990D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com/
                              Source: AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9959C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99B09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9990D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
                              Source: AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2542392048.000002917AA40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99B09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands)
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9979E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F999F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                              Source: rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2552512091.0000019FB1ED2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1707258744.00000171DA262000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                              Source: System.ValueTuple.dll.2.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                              Source: System.ValueTuple.dll.2.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                              Source: AteraAgent.exe, 0000000F.00000002.2555001444.0000019FB24E2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.drString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/A
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AEF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9991F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AEF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99D2E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9991F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0c8fe399-28d9-41a3-bf50-c77a672f47cf
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9991F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12f3eadc-4137-4969-a630-9caae86b52c8
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2aed862e-2eee-4460-94f8-67ced20c3e98
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=459726b1-bf54-4233-9c92-512b1a42571f
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4e6de541-ebdf-48b4-adc4-f35ddb9ca4eb
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5951d75d-4aae-498f-8cfe-2d2684bcac30
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5e281e32-d56c-48ee-a94d-f7f921f64993
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d7638603-5a9e-4a0e-a726-ea2723946dc6
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dc3922f5-35d6-4f94-b311-0484e4bd5995
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9991F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/8
                              Source: AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AEF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9979E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.newtonsoft.com/json
                              Source: Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                              Source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2552512091.0000019FB1ED2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1707258744.00000171DA262000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49966
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49750 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49751 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49761 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49762 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.93:443 -> 192.168.2.10:49778 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49935 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49936 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49955 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49957 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49956 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49966 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49970 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49974 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:49977 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:50014 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:50021 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:50049 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.10:50081 version: TLS 1.2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Reads the Security eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Reads the System eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3f7201.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7358.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7984.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9172.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9422.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9433.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI94B1.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9638.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3f7203.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3f7203.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB318.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\CustomAction.configJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\Newtonsoft.Json.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\System.Management.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\CustomAction.config
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI7358.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06B200405_3_06B20040
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_067B50B86_3_067B50B8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_067B59A86_3_067B59A8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_067B4D686_3_067B4D68
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF7BFC9C92213_2_00007FF7BFC9C922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF7BFC9BB7613_2_00007FF7BFC9BB76
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF7BFC90C1D13_2_00007FF7BFC90C1D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFCA901315_2_00007FF7BFCA9013
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFC90D3B15_2_00007FF7BFC90D3B
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFCA1CF015_2_00007FF7BFCA1CF0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFC99AF215_2_00007FF7BFC99AF2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEAF91115_2_00007FF7BFEAF911
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEA186E15_2_00007FF7BFEA186E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEB52E015_2_00007FF7BFEB52E0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEB52E515_2_00007FF7BFEB52E5
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEA268315_2_00007FF7BFEA2683
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_0760004018_3_07600040
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF7BFC978D619_2_00007FF7BFC978D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF7BFCA10C019_2_00007FF7BFCA10C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF7BFC9182819_2_00007FF7BFC91828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF7BFC9868219_2_00007FF7BFC98682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF7BFCB047D19_2_00007FF7BFCB047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF7BFC9BDB019_2_00007FF7BFC9BDB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF7BFC912FB19_2_00007FF7BFC912FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFCA10C023_2_00007FF7BFCA10C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFCB047D23_2_00007FF7BFCB047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFC9BDB023_2_00007FF7BFC9BDB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFC978D623_2_00007FF7BFC978D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFC9182823_2_00007FF7BFC91828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFC9868223_2_00007FF7BFC98682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFC912FB23_2_00007FF7BFC912FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFC951CD23_2_00007FF7BFC951CD
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FF7BFCB78D626_2_00007FF7BFCB78D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FF7BFCC10C026_2_00007FF7BFCC10C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FF7BFCB868226_2_00007FF7BFCB8682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FF7BFCD047D26_2_00007FF7BFCD047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FF7BFCBBD1026_2_00007FF7BFCBBD10
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FF7BFCB12FB26_2_00007FF7BFCB12FB
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                              Source: e0#U05ea.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs e0#U05ea.msi
                              Source: e0#U05ea.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs e0#U05ea.msi
                              Source: e0#U05ea.msiBinary or memory string: OriginalFilenamewixca.dll\ vs e0#U05ea.msi
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                              Source: AteraAgent.exe.2.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                              Source: classification engineClassification label: mal88.troj.spyw.evad.winMSI@37/88@13/2
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7844:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8144:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6040:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1396:120:WilError_03
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF47766066B75C798D.TMPJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7358.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4158531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: e0#U05ea.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                              Source: e0#U05ea.msiReversingLabs: Detection: 31%
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\e0#U05ea.msi"
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2C828FCE33DD8E11A4DB652C16749A7F
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7358.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4158531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7984.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4159906 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI9172.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4166015 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 383888C60FE94E71DA4676E44D32717F E Global\MSI0000
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="pjt145.chef@elbayrak.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O3Ui7IAF" /AgentId="883f7d62-963d-4a4e-aadf-4ee8e577d238"
                              Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB318.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4174625 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "eb7ae0f0-01c0-4bb5-a03a-e6b63b26697d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "bc5dfe9b-e2bb-4515-b3e1-7877603aa96e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "16904213-f096-40ec-9bf1-11c4695deea3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2C828FCE33DD8E11A4DB652C16749A7FJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 383888C60FE94E71DA4676E44D32717F E Global\MSI0000Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="pjt145.chef@elbayrak.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O3Ui7IAF" /AgentId="883f7d62-963d-4a4e-aadf-4ee8e577d238"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7358.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4158531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7984.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4159906 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI9172.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4166015 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB318.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4174625 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "eb7ae0f0-01c0-4bb5-a03a-e6b63b26697d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "bc5dfe9b-e2bb-4515-b3e1-7877603aa96e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "16904213-f096-40ec-9bf1-11c4695deea3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cabinet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                              Source: e0#U05ea.msiStatic file information: File size 2994176 > 1048576
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb" source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1526994106.000000000368A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.000000000368B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\System.pdbCD: source: rundll32.exe, 00000012.00000002.1531145906.0000000007B63000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1405684872.0000017AE7572000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1383101279.00000000070A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1707018026.00000171DA1B2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1380713387.0000000002557000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527431542.0000000003277000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000012.00000003.1527063128.0000000003614000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.0000000003614000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb]o source: rundll32.exe, 00000012.00000002.1527641291.000000000369C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1526994106.000000000369C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdbu source: rundll32.exe, 00000012.00000003.1526994106.000000000368A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.000000000368B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381082827.0000000002A88000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
                              Source: Binary string: \??\C:\Windows\System.pdbJ source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbz source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1405684872.0000017AE7572000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.pdb0) source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381082827.0000000002A88000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nC:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.pdb] source: rundll32.exe, 00000005.00000002.1380713387.0000000002557000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\System.pdbC source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000F.00000002.2555001444.0000019FB24E2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000F.00000002.2555001444.0000019FB24E2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2552512091.0000019FB1ED2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbNM source: rundll32.exe, 00000005.00000002.1383101279.0000000007070000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nC:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.pdb9 source: rundll32.exe, 00000012.00000002.1527431542.0000000003277000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000013.00000000.1667258499.00000171C11B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1383101279.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1527063128.0000000003663000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1707258744.00000171DA262000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.15.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2552512091.0000019FB1ED2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1707258744.00000171DA262000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: e0#U05ea.msi, MSI9422.tmp.2.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, MSI9433.tmp.2.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.dr
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1707018026.00000171DA1B2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1383101279.0000000007070000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1383101279.00000000070A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbtion source: rundll32.exe, 00000012.00000003.1527063128.0000000003671000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.0000000003671000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdbU source: rundll32.exe, 00000005.00000002.1383251568.00000000070AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380430941.00000000070AD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1466692024.0000017AE9342000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1466692024.0000017AE9342000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000003.1527063128.0000000003614000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.0000000003614000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: e0#U05ea.msi, 3f7203.msi.2.dr, MSI9172.tmp.2.dr, MSI7984.tmp.2.dr, MSIB318.tmp.2.dr, MSI7358.tmp.2.dr, 3f7201.msi.2.dr
                              Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdbNF source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbFg source: rundll32.exe, 00000012.00000002.1527641291.000000000369C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1526994106.000000000369C000.00000004.00000020.00020000.00000000.sdmp
                              Source: BouncyCastle.Crypto.dll.2.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                              Source: MSI7358.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: MSI7984.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: MSI9172.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF7BFC900BD pushad ; iretd 13_2_00007FF7BFC900C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFC900BD pushad ; iretd 15_2_00007FF7BFC900C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFC90772 push ebx; retn 0021h15_2_00007FF7BFC9073A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFC90718 push ebx; retn 0021h15_2_00007FF7BFC9073A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFC9073D push ebx; retn 0021h15_2_00007FF7BFC9073A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFC906FA push ebx; retn 0021h15_2_00007FF7BFC9073A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFC906D3 push ebx; retn 0021h15_2_00007FF7BFC9073A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEB00B7 push ds; ret 15_2_00007FF7BFEB00BF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEA180C push eax; ret 15_2_00007FF7BFEA1824
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEA0AF1 push eax; ret 15_2_00007FF7BFEA0B14
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEA02C1 push eax; ret 15_2_00007FF7BFEA02E4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FF7BFEB1258 push esp; iretd 15_2_00007FF7BFEB1259
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF7BFC900BD pushad ; iretd 19_2_00007FF7BFC900C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFCA5587 push ebp; iretd 23_2_00007FF7BFCA55D8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF7BFC900BD pushad ; iretd 23_2_00007FF7BFC900C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FF7BFCB00BD pushad ; iretd 26_2_00007FF7BFCB00C1

                              Persistence and Installation Behavior

                              barindex
                              Creates files in the system32 config directory
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9172.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI94B1.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9638.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB318.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7358.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7984.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9433.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB318.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9172.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7358.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI94B1.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7984.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9433.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7984.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9638.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI9172.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB318.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 17AE78D0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 17AE9430000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 19F98F70000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 19FB1510000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 171C16B0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 171D9AF0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20BD27E0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20BEAE10000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 29161BD0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2917A110000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2909
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6708
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7358.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9172.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI94B1.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7358.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9638.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9172.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB318.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7358.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB318.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7984.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7358.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7984.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9172.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9172.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7984.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9433.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7984.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB318.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB318.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 7948Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5928Thread sleep time: -60000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2968Thread sleep count: 2909 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2968Thread sleep count: 6708 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7988Thread sleep count: 36 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7988Thread sleep time: -33204139332677172s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7988Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 600Thread sleep time: -90000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3096Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7896Thread sleep time: -180000s >= -30000s
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 2352Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1900Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8176Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2340Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4672Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: AgentPackageAgentInformation.exe.15.drBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9B7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0n
                              Source: AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW]0
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2553015765.0000019FB2146000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: AteraAgent.exe, 0000000D.00000002.1466941174.0000017AE9AF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: rundll32.exe, 00000005.00000003.1380209880.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1380463221.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1381184303.0000000002AE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1526994106.000000000368A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1527641291.000000000368B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2161160675.0000020BEB684000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2542392048.000002917AA98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: AgentPackageAgentInformation.exe, 00000013.00000002.1707551998.00000171DA360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="pjt145.chef@elbayrak.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O3Ui7IAF" /AgentId="883f7d62-963d-4a4e-aadf-4ee8e577d238"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "eb7ae0f0-01c0-4bb5-a03a-e6b63b26697d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "bc5dfe9b-e2bb-4515-b3e1-7877603aa96e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "16904213-f096-40ec-9bf1-11c4695deea3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="pjt145.chef@elbayrak.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000o3ui7iaf" /agentid="883f7d62-963d-4a4e-aadf-4ee8e577d238"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "eb7ae0f0-01c0-4bb5-a03a-e6b63b26697d" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000o3ui7iaf
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "bc5dfe9b-e2bb-4515-b3e1-7877603aa96e" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000o3ui7iaf
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "16904213-f096-40ec-9bf1-11c4695deea3" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000o3ui7iaf
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="pjt145.chef@elbayrak.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000o3ui7iaf" /agentid="883f7d62-963d-4a4e-aadf-4ee8e577d238"Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "eb7ae0f0-01c0-4bb5-a03a-e6b63b26697d" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000o3ui7iaf
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "bc5dfe9b-e2bb-4515-b3e1-7877603aa96e" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000o3ui7iaf
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "16904213-f096-40ec-9bf1-11c4695deea3" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000o3ui7iaf
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7358.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7984.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7984.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI9172.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB318.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB318.tmp-\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

                              Remote Access Functionality

                              barindex
                              Yara detected AteraAgent
                              Source: Yara matchFile source: 13.0.AteraAgent.exe.17ae7570000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.2.AgentPackageAgentInformation.exe.171da1b0000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.171c11b0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000000D.00000002.1463826207.0000017A800B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1468342329.00007FF7BFD24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2542392048.000002917AA98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2159293412.0000020BD2632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2159219094.0000020BD2558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1704120242.00000171C13A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2553015765.0000019FB2120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2159293412.0000020BD256B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2553576063.0000019FB2232000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2539420869.00000291619FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2539420869.00000291619C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2159293412.0000020BD258B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2539420869.00000291619C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2539420869.0000029161A4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2159293412.0000020BD258D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2159293412.0000020BD25D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2160139077.0000020BD2E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1463826207.0000017A8008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1465826767.0000017AE76E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1704120242.00000171C13EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1467302308.0000017AE9DC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2554774175.0000019FB22CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2540762394.0000029162183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2538536873.0000008AB22F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1465748093.0000017AE76A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2541190073.0000019F98C2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2539271176.0000029161980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2542384951.0000019F98CF0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1463826207.0000017A80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1707018026.00000171DA1B2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2540762394.0000029162111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1463826207.0000017A80089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2541190073.0000019F98CC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2543308265.0000019F99BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1463826207.0000017A800B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2160139077.0000020BD2E83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1704691139.00000171C14D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2540762394.0000029162193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2542840167.0000019F98F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1463826207.0000017A80132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1463826207.0000017A8017C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1467332251.0000017AE9DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2159996088.0000020BD2830000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2541190073.0000019F98C0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2541190073.0000019F98BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000000.1405684872.0000017AE7572000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1465826767.0000017AE776E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1705051766.00000171C1AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1705051766.00000171C1B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1465826767.0000017AE7720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2538539036.000000F3860F1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1465826767.0000017AE76E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1466941174.0000017AE9B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1467332251.0000017AE9E0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2159219094.0000020BD2550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2160139077.0000020BD2E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1465826767.0000017AE772F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1704120242.00000171C1360000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000000.1667258499.00000171C11B2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2539420869.0000029161A82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2541190073.0000019F98C77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2540762394.0000029162157000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2160139077.0000020BD2E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7844, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7908, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 8012, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 5992, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 5828, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3292, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1744, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3996, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3152, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Windows\Temp\~DF6A4DE52DC2399F9D.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\3f7202.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF92B08A0855196A93.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFD6287FB4F7B1D804.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF47766066B75C798D.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF9D0DB2C030910D25.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF7B5BC7245F2550A2.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI9422.tmp, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Replication Through Removable Media                              		121
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		21
                              Disable or Modify Tools                              		OS Credential Dumping11
                              Peripheral Device Discovery                              		Remote Services11
                              Archive Collected Data                              		1
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Command and Scripting Interpreter                              		21
                              Windows Service                              		21
                              Windows Service                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory2
                              File and Directory Discovery                              		Remote Desktop ProtocolData from Removable Media11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts11
                              Service Execution                              		Logon Script (Windows)11
                              Process Injection                              		21
                              Obfuscated Files or Information                              		Security Account Manager24
                              System Information Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive2
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              Timestomp                              		NTDS1
                              Query Registry                              		Distributed Component Object ModelInput Capture3
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets211
                              Security Software Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              File Deletion                              		Cached Domain Credentials1
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items122
                              Masquerading                              		DCSync141
                              Virtualization/Sandbox Evasion                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Modify Registry                              		Proc Filesystem1
                              Application Window Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
                              Virtualization/Sandbox Evasion                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                              Process Injection                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                              Rundll32                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561807 Sample: e0#U05ea.msi Startdate: 24/11/2024 Architecture: WINDOWS Score: 88 97 windowsupdatebg.s.llnwi.net 2->97 99 ps.pndsn.com 2->99 101 6 other IPs or domains 2->101 107 Multi AV Scanner detection for dropped file 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 Yara detected AteraAgent 2->111 113 3 other signatures 2->113 9 msiexec.exe 82 43 2->9         started        12 AteraAgent.exe 2->12         started        16 msiexec.exe 5 2->16         started        signatures3 process4 dnsIp5 81 C:\Windows\Installer\MSIB318.tmp, PE32 9->81 dropped 83 C:\Windows\Installer\MSI9172.tmp, PE32 9->83 dropped 85 C:\Windows\Installer\MSI7984.tmp, PE32 9->85 dropped 95 20 other files (17 malicious) 9->95 dropped 18 AteraAgent.exe 6 11 9->18         started        22 msiexec.exe 9->22         started        24 msiexec.exe 9->24         started        103 d25btwd9wax8gu.cloudfront.net 108.158.75.93, 443, 49778 AMAZON-02US United States 12->103 105 ps.pndsn.com 13.232.67.198, 443, 49750, 49751 AMAZON-02US United States 12->105 87 C:\...87ewtonsoft.Json.dll, PE32 12->87 dropped 89 C:\...\Atera.AgentPackage.Common.dll, PE32 12->89 dropped 91 C:\...\AgentPackageAgentInformation.exe, PE32 12->91 dropped 93 AgentPackageAgentInformation.exe.config, XML 12->93 dropped 121 Creates files in the system32 config directory 12->121 123 Reads the Security eventlog 12->123 125 Reads the System eventlog 12->125 26 AgentPackageAgentInformation.exe 12->26         started        28 sc.exe 12->28         started        30 AgentPackageAgentInformation.exe 12->30         started        32 AgentPackageAgentInformation.exe 12->32         started        file6 signatures7 process8 file9 59 C:\Windows\System32\InstallUtil.InstallLog, Unicode 18->59 dropped 61 C:\...\AteraAgent.InstallLog, Unicode 18->61 dropped 115 Creates files in the system32 config directory 18->115 117 Reads the Security eventlog 18->117 119 Reads the System eventlog 18->119 34 rundll32.exe 15 9 22->34         started        37 rundll32.exe 7 22->37         started        39 rundll32.exe 8 22->39         started        41 rundll32.exe 22->41         started        51 2 other processes 24->51 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        signatures10 process11 file12 63 C:\...\AlphaControlAgentInstallation.dll, PE32 34->63 dropped 73 3 other files (none is malicious) 34->73 dropped 65 C:\...\AlphaControlAgentInstallation.dll, PE32 37->65 dropped 75 3 other files (none is malicious) 37->75 dropped 67 C:\...\AlphaControlAgentInstallation.dll, PE32 39->67 dropped 77 3 other files (none is malicious) 39->77 dropped 69 C:\...\AlphaControlAgentInstallation.dll, PE32 41->69 dropped 71 C:\Windows\...\System.Management.dll, PE32 41->71 dropped 79 2 other files (none is malicious) 41->79 dropped 53 conhost.exe 51->53         started        55 conhost.exe 51->55         started        57 net1.exe 1 51->57         started        process13

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              e0#U05ea.msi32%ReversingLabsWin32.Trojan.Atera

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.Trojan.Atera
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7358.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7358.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7358.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7358.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7984.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7984.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7984.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7984.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI9172.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI9172.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI9172.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI9172.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI9433.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI94B1.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI9638.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIB318.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSIB318.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSIB318.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSIB318.tmp-\System.Management.dll0%ReversingLabs

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              https://agent-api.aterDn0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ps.pndsn.com
                              		13.232.67.198
                              		truefalse
                                		high
                                bg.microsoft.map.fastly.net
                                		199.232.214.172
                                		truefalse
                                  		high
                                  d25btwd9wax8gu.cloudfront.net
                                  		108.158.75.93
                                  		truefalse
                                    		unknown
                                    fp2e7a.wpc.phicdn.net
                                    		192.229.221.95
                                    		truefalse
                                      		high
                                      windowsupdatebg.s.llnwi.net
                                      		178.79.238.0
                                      		truefalse
                                        		high
                                        ps.atera.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          agent-api.atera.com
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9b35e03f-9217-47fc-883e-376a0acf1a33&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                              		high
                                              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0fdd6a07-21a5-4251-94a9-7ec5786af820&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                		high
                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5951d75d-4aae-498f-8cfe-2d2684bcac30&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                  		high
                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0c8fe399-28d9-41a3-bf50-c77a672f47cf&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                    		high
                                                    https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e5b922ff-1087-45ae-bfaa-92dac2278cbc&tr=31&tt=17324434221501574&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                      		high
                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dc3922f5-35d6-4f94-b311-0484e4bd5995&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                        		high
                                                        https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8cf06a91-99a7-45cd-a779-b72be96870d7&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                          		high
                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12f3eadc-4137-4969-a630-9caae86b52c8&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                            		high
                                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=58b95c89-793e-4183-b4ec-622b28949278&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                              		high
                                                              https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=828d2fae-bb40-4bf1-b7d4-c9f95f35880c&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                		high
                                                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de3a19ac-393b-475a-b5ce-07c61aa216d9&tr=31&tt=17324433440133815&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                  		high
                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=484b7669-faad-46fb-95da-3f494fe71338&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                    		high
                                                                    https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9dbdf105-b22b-42a8-a293-ef3c50c5b89f&tr=31&tt=17324433466351848&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                      		high
                                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4e6de541-ebdf-48b4-adc4-f35ddb9ca4eb&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                        		high
                                                                        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a714345f-6069-463f-b471-b79c49409a31&tr=31&tt=17324434221501574&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                          		high
                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=09996451-139e-4d4e-87e9-c03841f30e76&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                            		high
                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d7638603-5a9e-4a0e-a726-ea2723946dc6&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                              		high
                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?MXEuqxTtBtfd+dFjSfn8PupuPxKD+CNuASOYt6ySpA3SYMBPBbjiPgfcFSHiAA/vfalse
                                                                                		high
                                                                                https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ae447775-3f27-4878-8dac-a944634d4b04&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                                  		high
                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=459bf948-52b5-4158-a1ed-7acb5a150d74&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                                    		high
                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2aed862e-2eee-4460-94f8-67ced20c3e98&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                                      		high
                                                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=53a672d4-64e8-41a4-b6a2-cf6f70a93e3a&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                                        		high
                                                                                        https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c81cc1d6-c362-4d28-bb00-1ffac3b99a1b&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                                          		high
                                                                                          https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=be904d3c-4208-46ed-ab86-e69008a35a81&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238false
                                                                                            		high

                                                                                            URLs from Memory and Binaries

                                                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                                                            http://schemas.datacontract.orgAteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://agent-api.atera.com/Production/Agent/GetCommands)AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000013.00000000.1667258499.00000171C11B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.drfalse
                                                                                                        		high
                                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dc3922f5-35d6-4f94-b311-0484e4bd5995AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://agent-api.atera.com/Production/Agent/rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                            		high
                                                                                                            http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://wixtoolset.orgrundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, e0#U05ea.msi, MSI9422.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI94B1.tmp.2.dr, 3f7203.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI9433.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 3f7201.msi.2.dr, MSI9638.tmp.2.drfalse
                                                                                                                		high
                                                                                                                https://agent-api.atera.com/ProductionAgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://acontrol.atera.com/AteraAgent.exe, 0000000D.00000000.1405684872.0000017AE7572000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.drfalse
                                                                                                                      		high
                                                                                                                      https://agent-api.atera.com/Production/Agent/AgentStarting)AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://ps.pndsn.comAteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AEF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99D2E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9991F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscoveAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://agent-api.aterDnrundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://agent-api.atera.comrundll32.exe, 00000005.00000002.1382344987.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9990D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005145000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1C1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2F3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.0000029162240000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945aAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.datacontract.org/2004/07/AteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://github.com/icsharpcode/SharpZipLibAteraAgent.exe, 0000000F.00000002.2555001444.0000019FB24E2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.drfalse
                                                                                                                                            		high
                                                                                                                                            https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentIAteraAgent.exe, 0000000F.00000002.2543308265.0000019F996A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://agent-api.atera.comrundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F999F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99B09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9990D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://agent-api.atera.com/Production/Agent/AgentStartingAteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9959C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99B09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9990D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2aed862e-2eee-4460-94f8-67ced20c3e98AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.w3.ohAteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99B09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99996000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://agent-api.atera.com/rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://agent-api.atera.com/Production/Agent/GetRecurringPackagesAteraAgent.exe, 0000000F.00000002.2543308265.0000019F999F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.18.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0c8fe399-28d9-41a3-bf50-c77a672f47cfAteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.zAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5951d75d-4aae-498f-8cfe-2d2684bcac30AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12f3eadc-4137-4969-a630-9caae86b52c8AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9991F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://www.newtonsoft.com/jsonrundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d7638603-5a9e-4a0e-a726-ea2723946dc6AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbfSystem.ValueTuple.dll.2.drfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformationAteraAgent.exe, 0000000F.00000002.2543308265.0000019F996EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://agent-api.aterDrundll32.exe, 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformationAteraAgent.exe, 0000000F.00000002.2543308265.0000019F996EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://www.w3.oAteraAgent.exe, 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://ps.atera.comAteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAAteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformatiAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/GetCommandsFallbackAteraAgent.exe, 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9979E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadfAteraAgent.exe, 0000000F.00000002.2543308265.0000019F99AEF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9979E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalleAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99629000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          http://ps.pndsn.comAteraAgent.exe, 0000000F.00000002.2543308265.0000019F99D2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000004.00000003.1313919273.00000000044F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1323962673.0000000004522000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1385299684.0000000004286000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2552512091.0000019FB1ED2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1471650818.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1707258744.00000171DA262000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drfalse
                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                              https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000F.00000002.2543308265.0000019F995E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F996E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99575000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99579000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/AAteraAgent.exe, 0000000F.00000002.2543308265.0000019F99797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                  108.158.75.93
                                                                                                                                                                                                                                                  		d25btwd9wax8gu.cloudfront.netUnited States
                                                                                                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                                                                                                  13.232.67.198
                                                                                                                                                                                                                                                  		ps.pndsn.comUnited States
                                                                                                                                                                                                                                                  		16509AMAZON-02USfalse

                                                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                  Analysis ID:1561807
                                                                                                                                                                                                                                                  Start date and time:2024-11-24 11:14:22 +01:00
                                                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                  Overall analysis duration:0h 10m 2s
                                                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                  Number of analysed new started processes analysed:28
                                                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                                                  Sample name:e0#U05ea.msi
                                                                                                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                                                                                                  Original Sample Name: .msi
                                                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                                                  Classification:mal88.troj.spyw.evad.winMSI@37/88@13/2
                                                                                                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                                                  • Successful, ratio: 70%
                                                                                                                                                                                                                                                  • Number of executed functions: 415
                                                                                                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                                                  • Found application associated with file extension: .msi

                                                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 40.119.152.241, 178.79.238.0, 192.229.221.95, 199.232.214.172
                                                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): crl.edge.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, cacerts.digicert.com, agentsapi.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, atera-agent-api-eu.westeurope.cloudapp.azure.com, ocsp.edge.digicert.com, crl3.digicert.com, crl4.digicert.com, wu-b-net.trafficmanager.net
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 1744 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 3152 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 3996 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AteraAgent.exe, PID 5828 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AteraAgent.exe, PID 5992 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 3292 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 7844 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 7908 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 8012 because it is empty
                                                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                                  • VT rate limit hit for: e0#U05ea.msi

                                                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                                                  05:15:28API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                                  05:15:33API Interceptor2499876x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                                  05:16:00API Interceptor2x Sleep call for process: AgentPackageAgentInformation.exe modified

                                                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  ps.pndsn.comBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.227
                                                                                                                                                                                                                                                  9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.229
                                                                                                                                                                                                                                                  Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.229
                                                                                                                                                                                                                                                  Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.227
                                                                                                                                                                                                                                                  forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.228
                                                                                                                                                                                                                                                  VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.227
                                                                                                                                                                                                                                                  2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 35.157.63.229
                                                                                                                                                                                                                                                  2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 54.175.191.204
                                                                                                                                                                                                                                                  Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 54.175.191.203
                                                                                                                                                                                                                                                  https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 54.175.191.203
                                                                                                                                                                                                                                                  d25btwd9wax8gu.cloudfront.netBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 18.245.46.47
                                                                                                                                                                                                                                                  9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 13.35.58.104
                                                                                                                                                                                                                                                  Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 99.86.114.21
                                                                                                                                                                                                                                                  Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 18.66.112.74
                                                                                                                                                                                                                                                  forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 18.66.112.49
                                                                                                                                                                                                                                                  VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 143.204.68.99
                                                                                                                                                                                                                                                  2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 3.165.136.99
                                                                                                                                                                                                                                                  2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 99.84.160.56
                                                                                                                                                                                                                                                  Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 108.139.47.50
                                                                                                                                                                                                                                                  https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  • 108.139.47.50
                                                                                                                                                                                                                                                  bg.microsoft.map.fastly.netzapret.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                                  canva.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  4yOuoT4GFy.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                                  6xQ8CMUaES.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                                  17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                                  download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 146.75.30.172

                                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                  • 13.245.101.151
                                                                                                                                                                                                                                                  santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.221.243
                                                                                                                                                                                                                                                  VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 76.223.74.74
                                                                                                                                                                                                                                                  arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 3.122.148.244
                                                                                                                                                                                                                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 13.223.155.145
                                                                                                                                                                                                                                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 18.243.54.8
                                                                                                                                                                                                                                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 15.206.178.249
                                                                                                                                                                                                                                                  AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                  • 13.245.101.151
                                                                                                                                                                                                                                                  santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.221.243
                                                                                                                                                                                                                                                  VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                  • 76.223.74.74
                                                                                                                                                                                                                                                  arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 3.122.148.244
                                                                                                                                                                                                                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 13.223.155.145
                                                                                                                                                                                                                                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 18.243.54.8
                                                                                                                                                                                                                                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 15.206.178.249

                                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  CargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198
                                                                                                                                                                                                                                                  kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                  • 108.158.75.93
                                                                                                                                                                                                                                                  • 13.232.67.198

                                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exesetup (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    BOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      LaudoBombeirosPDF.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                        1nzNNooNMS.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                          Le55bnMCON.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                            z8yxMFhhZI.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                              kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                    e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse

                                                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                                                      C:\Config.Msi\3f7202.rbs

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):8805
                                                                                                                                                                                                                                                                      Entropy (8bit):5.657992600443297
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:vj+xz1ccbTOOeMe0g61Q7r6IHfQ7r6kAVv70HVotBVeZEmzmYpLAV77sxpY92r:vSD2C0p0tiB2iY
                                                                                                                                                                                                                                                                      MD5:17B3636346F14043B5854A87C9EAB265
                                                                                                                                                                                                                                                                      SHA1:BEF1F7019B25CC86EE3F423D3822CB93F76D9240
                                                                                                                                                                                                                                                                      SHA-256:F77AAD41CCC7FAD1B162C2807ACDFAC872081995C51B61D65CD818DD6C28757C
                                                                                                                                                                                                                                                                      SHA-512:0857CEFF24F930279B86FD572A7062B52980B174CD8D757D310F16E914C546DFD20A3A9257B3A554CA9DE99810C0ABC6633ECB5A5CF2D2A6D6F14FB5693AAE0E
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\3f7202.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@.)xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..e0#U05ea.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F01010-E311-

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):753
                                                                                                                                                                                                                                                                      Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                                                      MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                                                      SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                                                      SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                                                      SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):7466
                                                                                                                                                                                                                                                                      Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                                                      MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                                                      SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                                                      SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                                                      SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):145968
                                                                                                                                                                                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                                                      • Filename: setup (1).msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: BOMB-762.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: LaudoBombeirosPDF.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: 1nzNNooNMS.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: Le55bnMCON.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: z8yxMFhhZI.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: kTbv9ZA2x0.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: IwmwOaVHnd.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: gaYiWz75kv.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: e8gTT6OTKZ.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1442
                                                                                                                                                                                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):3318832
                                                                                                                                                                                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):215088
                                                                                                                                                                                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):384542
                                                                                                                                                                                                                                                                      Entropy (8bit):7.999374626035649
                                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                                      SSDEEP:6144:viqRTU5exRWDCtTLvL0XRFJE9A+BQlv9I+NBsNQvaNXvhGf1mzVeUXJLo:vil/DSLvAJ6CxBHmJXVpJLo
                                                                                                                                                                                                                                                                      MD5:4A09A87D2004DAC4B00687E9C9F15036
                                                                                                                                                                                                                                                                      SHA1:C78BB288E7A96642093ABE44CB9B7BBD3EC447BA
                                                                                                                                                                                                                                                                      SHA-256:2DBC8CF2592604C09793CBED61E0B072B1B1FFA375FB3C9ABCA83FA0E18AB9A5
                                                                                                                                                                                                                                                                      SHA-512:F555F5A0BB80514BC71BB33A77620D28A9E6715E538372AAA7F0500BC8D5BFE8511F5CA982E15304422479FF693E6F38510D6616A94580FC1B105DD2DA605EAA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:PK..-......9lY...}........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(...................,...1.9>ks'6.s+a.....q!b.N......C...... $..:-u.&.......@~...!s.....}...;.._.0.A.... S.....P...(/.Lc..v.!......CH....(..j..T..4m.ty...........;.uj.Dv2..m...`v._....?. ..W.....O.|.EgdF..vL.^../..?!e../eRs..{.[.m........q$0..o..%..2..._....IW`m>".~6.y....w....G.z.v..~.t.#.mg.l7..6#..W..........V..#..........l|.K..=.&q=3y.g..KL.x`.D.L.,..l..Qw...^lSr#\.=...`'&..A.>.ME`..!....g.z....A../........6.||..-.....,...I.3.n.P..%..}oZ.~.'..q]JY)...G]Z=.^..2..[c.t.O5DI.O.H..{>....+n.'...!..#z..(F.Ue."...#.........z....L..tLv.3.8?..t\-..h.e.S.^W.....W..z.....Y|....P.....&.6.\5cs..X....F.......~a...Z@5.@....}....o...8B.?...r.....kS....`iT.q-)8.~.YU....w.kh.]......V..OZEI..@...>.9.......B76.O...b.7.u..kh.L.$....Q...F2^.J.L.C<"m.c..X..-...XQ...P=2.e/.fA...8..a...z...w8W.^w-..[!....QI}:2.?..K....34....}"...........\.%.X.j@G..4...f....<..v@.`.w

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):177704
                                                                                                                                                                                                                                                                      Entropy (8bit):5.814572246989157
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:2DpvOyLSson7aezB53Pbsk4GJCMA1TSuAehuZ7f2lz8/Cvolc3a:2D4y07asBx4krGSegZX3
                                                                                                                                                                                                                                                                      MD5:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                      SHA1:2E537E504704670B52CE775943F14BFBAF175C1B
                                                                                                                                                                                                                                                                      SHA-256:847D0CD49CCE4975BAFDEB67295ED7D2A3B059661560CA5E222544E9DFC5E760
                                                                                                                                                                                                                                                                      SHA-512:47228CBDBA54CD4E747DBA152FEB76A42BFC6CD781054998A249B62DD0426C5E26854CE87B6373F213B4E538A62C08A89A488E719E2E763B7B968E77FBF4FC02
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2g.........."...0................. ........@.. ..............................y.....`.....................................O.......................((..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):546
                                                                                                                                                                                                                                                                      Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                      MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                                                      SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                                                      SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                                                      SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:WhWbn:WCn
                                                                                                                                                                                                                                                                      MD5:EB053699FC80499A7185F6D5F7D55BFE
                                                                                                                                                                                                                                                                      SHA1:9700472D22B1995C320507917FA35088AE4E5F05
                                                                                                                                                                                                                                                                      SHA-256:BCE3DFDCA8F0B57846E914D497F4BB262E3275F05EA761D0B4F4B778974E6967
                                                                                                                                                                                                                                                                      SHA-512:D66FA39C69D9C6448518CB9F98CBDAD4CE5E93CEEF8D20CE0DEEF91FB3E512B5D5A9458F7B8A53D4B68D693107872C5445E99F87C948878F712F8A79BC761DBF
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:version=38.0

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):96808
                                                                                                                                                                                                                                                                      Entropy (8bit):6.1799972918389185
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:UJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762A:UQUm2H5KTfOLgxFJjE50vksVUfPvO1W
                                                                                                                                                                                                                                                                      MD5:E2A9291940753244C88CB68D28612996
                                                                                                                                                                                                                                                                      SHA1:BAD8529A85C32E5C26C907CFB2FB0DA8461407AE
                                                                                                                                                                                                                                                                      SHA-256:6565E67D5DB582B3DE0B266EB59A8ACEC7CDF9943C020CB6879833D8BD784378
                                                                                                                                                                                                                                                                      SHA-512:F07669A3939E3E6B5A4D90C3A5B09CA2448E8E43AF23C08F7A8621817A49F7B0F5956D0539333A6DF334CC3E517255242E572EAEF02A7BBF4BC141A438BF9EB9
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Y.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):704552
                                                                                                                                                                                                                                                                      Entropy (8bit):5.953959038895453
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:/9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3i:/8m657w6ZBLmkitKqBCjC0PDgM5y
                                                                                                                                                                                                                                                                      MD5:3EF8D12AA1D48DEC3AC19A0CEABD4FD8
                                                                                                                                                                                                                                                                      SHA1:C81B7229A9BD55185A0EDCCB7E6DF3B8E25791CF
                                                                                                                                                                                                                                                                      SHA-256:18C1DDBDBF47370CC85FA2CF7BA043711AB3EADBD8DA367638686DFD6B735C85
                                                                                                                                                                                                                                                                      SHA-512:0FF2E8DBFEF7164B22F9AE9865E83154096971C3F0B236D988AB947E803C1ED03D86529AB80D2BE9FF33AF305D34C9B30082F8C26E575F0979CA9287B415F9F9
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................C....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):602672
                                                                                                                                                                                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):73264
                                                                                                                                                                                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):215
                                                                                                                                                                                                                                                                      Entropy (8bit):5.223050347879674
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:A0JeGcbGxi9wqWluiKFHnFSLRg42VV1MsuCAmJDhATS/dFVIW/Xo2D2y:AKeWI9w3pKFSQILCANTS/mW9DX
                                                                                                                                                                                                                                                                      MD5:2E60383DCCF70EE2F1D9CD1C7717FA46
                                                                                                                                                                                                                                                                      SHA1:B5940663EE54EA2FCEB8F9F98EA132E9D02DAD4F
                                                                                                                                                                                                                                                                      SHA-256:6EE36E40A4764E8750BB1E89BA4FA126610D7D6BAD6805051E186486E122DF93
                                                                                                                                                                                                                                                                      SHA-512:70C62E50344F9846EC37177D8AD6DEEA600C61606E735CA770C0D9A3910195D83A597711A0315358FBC07CDFCA7B224E45298E245268D77F45D6B6D76F5C43E3
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:/i /IntegratorLogin=pjt145.chef@elbayrak.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000O3Ui7IAF /AgentId=883f7d62-963d-4a4e-aadf-4ee8e577d238.24/11/2024 05:15:36 Trace Starting..

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2402
                                                                                                                                                                                                                                                                      Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                                                      MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                                                      SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                                                      SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                                                      SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):651
                                                                                                                                                                                                                                                                      Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                                                      MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                                                      SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                                                      SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                                                      SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                                                      C:\Windows\Installer\3f7201.msi

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                                                      Entropy (8bit):7.878659756548679
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:++1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:++lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                      MD5:37D7404F46D43EAC22991C947CC7B1F0
                                                                                                                                                                                                                                                                      SHA1:ABCC8525564E8264B539D685E826F957C12EF70D
                                                                                                                                                                                                                                                                      SHA-256:06FFAABE4A1829177F078D1E6AD6BBC6AF79D16729ABCC8A21E4EC854448BB3D
                                                                                                                                                                                                                                                                      SHA-512:17BA13C5306B76F41BF3467DD59D0DE54C052789750EFCF23F7E674F027FB53CCD1A1E5749BE035F9A2C77DC8945CCC24444D20A838055DAAD611C578828263C
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\3f7203.msi

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                                                      Entropy (8bit):7.878659756548679
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:++1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:++lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                      MD5:37D7404F46D43EAC22991C947CC7B1F0
                                                                                                                                                                                                                                                                      SHA1:ABCC8525564E8264B539D685E826F957C12EF70D
                                                                                                                                                                                                                                                                      SHA-256:06FFAABE4A1829177F078D1E6AD6BBC6AF79D16729ABCC8A21E4EC854448BB3D
                                                                                                                                                                                                                                                                      SHA-512:17BA13C5306B76F41BF3467DD59D0DE54C052789750EFCF23F7E674F027FB53CCD1A1E5749BE035F9A2C77DC8945CCC24444D20A838055DAAD611C578828263C
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7358.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI7358.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7358.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7358.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7358.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7358.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7984.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI7984.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7984.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7984.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7984.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI7984.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9172.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9172.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9172.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9172.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9172.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9172.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9422.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):437311
                                                                                                                                                                                                                                                                      Entropy (8bit):6.6481079131184675
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:8t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsI:MzOE2Z34KGzOE2Z34Kf
                                                                                                                                                                                                                                                                      MD5:CB1BD3ADF9363C2467BE80E96E4F795E
                                                                                                                                                                                                                                                                      SHA1:5C8FCCC74DF2C4942A738D18D3D769CEC7D10A5B
                                                                                                                                                                                                                                                                      SHA-256:1340FE6976BF3AF7AFEAACCEB68DF1BC456999132CD78D7D07C1C4DC92DBA244
                                                                                                                                                                                                                                                                      SHA-512:7EB049DD86622DFE1A90E31A40C5BE8BFE566B29CA29BF2C9641827E4E9BBA768588BF073B1CD4E5B13E2CCC513AF5F65CB32EE584A6252C1AE15FE3515BCF26
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9422.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@.)xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..e0#U05ea.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[.....................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9433.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI94B1.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSI9638.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB318.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIB318.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB318.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB318.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB318.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB318.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                                      Entropy (8bit):1.1636202363140837
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:JSbX72Fjdu6AGiLIlHVRpfh/7777777777777777777777777vDHFX676KYV5tpQ:J26QI5bJ676Ki7F
                                                                                                                                                                                                                                                                      MD5:5A4C17A81202B82D2992B48591062DFD
                                                                                                                                                                                                                                                                      SHA1:EAA46E260559EF9F4A1C859E95652B06BBD2DD94
                                                                                                                                                                                                                                                                      SHA-256:AAC52F4EFF929018ABE5BB9E03C55228377A37E97724E1B4F9605FB20181AA81
                                                                                                                                                                                                                                                                      SHA-512:5D490366287417BF8DAD6A076BDA41586A84B924E73D733CF3D6EADF1451A6161C65C471FB58C7BE65346BF530D2C4FBD35110C5DB7229A5A6EB44842CC2E4CC
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                                      Entropy (8bit):1.5595193746557166
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:tJ8Ph3uRc06WXJeFT56eqISoedGPdGftbr+2StedGPdGRub8n:Ch311FTk7IF2o4
                                                                                                                                                                                                                                                                      MD5:B151EB90B9F5430C1E7C504DA3CBB345
                                                                                                                                                                                                                                                                      SHA1:C0530FDEEF5291920F1F28F75464776288ABF2F5
                                                                                                                                                                                                                                                                      SHA-256:1EAD095C998EDF8A0D97CA1D1F39A437E233E9EDDE224080BA9F720102AD96B3
                                                                                                                                                                                                                                                                      SHA-512:6A56D74798F716912A7BE403724E895147577A563CE6192D340A8D7D0EB8AC46879FFC32DEDD3630EA7DE307221E44EE6716D3B5E0830080454D443AC4F40457
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):363829
                                                                                                                                                                                                                                                                      Entropy (8bit):5.365412359443523
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau/:zTtbmkExhMJCIpEC
                                                                                                                                                                                                                                                                      MD5:05B3A4F197356BB992128FDB2DC9BC6C
                                                                                                                                                                                                                                                                      SHA1:C79B07688EE5DD2BFA0982A588060BE3B8935DE6
                                                                                                                                                                                                                                                                      SHA-256:E7D4A70B035595FCB7244319060DD2BF242CB7412FD1BA3AF3C0D63B140892DA
                                                                                                                                                                                                                                                                      SHA-512:FB580369CA23A77F973507A3E59A5514CC0411ABC9EA2E79BC6EA3E55F59A282BE302BFF96D2DF02B00A322C4EA1195D50156CF9F54453574D21CC358A333770
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                                                      C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):704
                                                                                                                                                                                                                                                                      Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                                                      MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                                                      SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                                                      SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                                                      SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):111002
                                                                                                                                                                                                                                                                      Entropy (8bit):6.451729490748972
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:kPzgm47BQL7ZMFPZ7t0zfIagnbSLDII+D61SdOkC7/:kbgN7BGFoZ7+gbE8pD61JL
                                                                                                                                                                                                                                                                      MD5:E43056855200281951812F3A6D94EFF7
                                                                                                                                                                                                                                                                      SHA1:66253EFEAE45E17339D00E2277A4E619E7E2FABC
                                                                                                                                                                                                                                                                      SHA-256:04A68A7F0A5E5AEE56899E2080B5E5C6FCC35564F470551E8FB2031C45F2B03F
                                                                                                                                                                                                                                                                      SHA-512:B98CAAD890078D0FE69F35176AB294380D98B480E6BD973DA10EE31B175E63A53C5E4DFB61405B7FAB85EA5D5FB01C4869287B70D7FE2F3F50F619C313F8911C
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0....0...|...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..241123125041Z..241130125041Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):111002
                                                                                                                                                                                                                                                                      Entropy (8bit):6.451729490748972
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:kPzgm47BQL7ZMFPZ7t0zfIagnbSLDII+D61SdOkC7/:kbgN7BGFoZ7+gbE8pD61JL
                                                                                                                                                                                                                                                                      MD5:E43056855200281951812F3A6D94EFF7
                                                                                                                                                                                                                                                                      SHA1:66253EFEAE45E17339D00E2277A4E619E7E2FABC
                                                                                                                                                                                                                                                                      SHA-256:04A68A7F0A5E5AEE56899E2080B5E5C6FCC35564F470551E8FB2031C45F2B03F
                                                                                                                                                                                                                                                                      SHA-512:B98CAAD890078D0FE69F35176AB294380D98B480E6BD973DA10EE31B175E63A53C5E4DFB61405B7FAB85EA5D5FB01C4869287B70D7FE2F3F50F619C313F8911C
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0....0...|...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..241123125041Z..241130125041Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):471
                                                                                                                                                                                                                                                                      Entropy (8bit):7.187019651177751
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:JyYOzg5GLsHzqTykJ0Ysbwsn5SWPYkq3n:JRO0ILsyJ0Y+Z5lYn
                                                                                                                                                                                                                                                                      MD5:441A4996E2EE86C4B588D8C0D407E7C2
                                                                                                                                                                                                                                                                      SHA1:0987D79EAECF4AFAD0E5C6F7BD9BD0A90CEABBD4
                                                                                                                                                                                                                                                                      SHA-256:300CFA12D5560F2B04E870FE42E15B6A2007E8F53E4CE1329BD506382075E657
                                                                                                                                                                                                                                                                      SHA-512:8D6D5BD1EA7BAAFEB8CA750CE112ED7FAD1477E1DEEF34994A145893EED217D1A9990A52D76790F8C00484378778504626E5C6A5F5193B8DA661AFDBD62600B0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241123190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241123190516Z....20241130190516Z0...*.H............._......Ym...[....K..r.....D.|.7...6/.Dd...bx*8..:.#B.....-W..3K.bW...._...........E......82oTc.",...d3C...X...U.....}.&9?...+.}{~..L|........9=..\R..{*.J/..I;:.P.H.....3..*..x....>.?.Vu{r....Jx`.i..\"{.8Kz.....z.....wD.4...O.....\"y

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):71954
                                                                                                                                                                                                                                                                      Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):727
                                                                                                                                                                                                                                                                      Entropy (8bit):7.537072345098989
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:5o6Tq9R5h44TUqrqILBKSB/P8KcFHiGIkZEaOR6qtcO4CoTBF/ZW9FD1QvuTw/n/:54oqXVKSBH8KqiGZtfqiOboTBF4l1ve/
                                                                                                                                                                                                                                                                      MD5:49BA85BE2CB152368FE6EE8982CF3D76
                                                                                                                                                                                                                                                                      SHA1:F078FDB44C9C62D64DC79849C7E41DEC4441A9C0
                                                                                                                                                                                                                                                                      SHA-256:28B91A2A15DFCE2BB789D5CF10E55DC8D46418AF6E8574CBA83CCAD4D396BE68
                                                                                                                                                                                                                                                                      SHA-512:67F5293A94BF17ED5031EEC51EE06BBC467860CDC48A2712694418185C0D400386BCD3D3C4FB46E7B5E50EEE1A6A4747707A3058D0C982B4CB16E8374816E787
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241123213707Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241123212102Z....20241130202102Z0...*.H.............hW.~...z~.4u...VR)..../.9 .....Z...{.-....9F.4.>.....&.......5IyX._y..7.a...?...=....8......o..I6...7.G.1..h*.*`.. ......(q.t...#VT.>..}.lzI2k...j.E.}s....V......F..s..O.X(x......g..9u7@!......eQ......\;..'..J5...z...JA~8....X..-.X..c..U..@K..6L...P.G.........q..z.1........i]...I..e.%...3P..m....x.....H.......Q..... Cz*.sPT.6.5.DY....o?..Z..6..>...c.-.+g.VQ...kq...N...T..X...N.p..YQ".3>_......q.Y=.[.*.Xg..4=...DvN.^.[...{..dU{P%..k. ...Ek....c[.OM.].|..o.@...1..P..4..\..*.._J.z0Y

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):737
                                                                                                                                                                                                                                                                      Entropy (8bit):7.5557187233228245
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:yeRLaWQMnFQlRAUcncFfBJurIT/L3wH/c9q5kvs0LQ+TDOFbx2UJhE47J:y2GWnSxuctGeqiW+Lp6L2ehE47J
                                                                                                                                                                                                                                                                      MD5:3DE65469B9F550FA32724673E299DFE2
                                                                                                                                                                                                                                                                      SHA1:4AAA64A5E233B459C3D4A5BCDD6EB115990C880D
                                                                                                                                                                                                                                                                      SHA-256:36BD170660F76039F65092E3CFB6F5AE7E6CE34E8E7321FABA7059E8407E3EB8
                                                                                                                                                                                                                                                                      SHA-512:642459FD1971BD4EBBC4C7128515F15D1F8AF15FE9AA5E992BDA18BB25B5913F3C36FCB1D9CA9D184C58F92295639976E3ECED7FEE5DEBB672C8F230EB31CD6E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..241119210859Z..241210210859Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............Io}x.N~...b...".F>.b9..9...(...lH.!.Pr.X..._..<.C...t....(.q....D..?...k..*.rN...{...c..=./O.G......{....a.i=}.|Cy...~......6.N.p.....)...1.;QE.\x)U.|.:.6.....(-T.....7.9.l.b..X....v..W.`..u.%T.VOHF.0.A...P...iv.Z...n0*k..w.mA.9e.'.w.....b......P.....2..X...ph.7Z..........s.'.. f...9F"....J...6../a..a..nl.IW.V..%z.....B...3.2.:hw...2b.Q._.i..N....=....F.f.%P.j.c}.sY;.+y.E.....V..7..CEj.....r.G.B.T..p....e.wa..8R..X..!..2*L.g.gx.f?e...J..FB.*.....S{..x....y.QF/.0K'....+..N....G..=.'..g....

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1716
                                                                                                                                                                                                                                                                      Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                                      MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                                      SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                                      SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                                      SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):727
                                                                                                                                                                                                                                                                      Entropy (8bit):7.534031201200033
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:5onfZUxc5RlRtBfQOx/hsLzjyNiA6M4SjmFjt5Y1DohqGoz7UcN/YNjoRLUE2lH2:5iCxcdZbxJqjFJ5mDohqocRYN7latn
                                                                                                                                                                                                                                                                      MD5:3AA154C597F0D3EF221B82298CE04F78
                                                                                                                                                                                                                                                                      SHA1:C15D53176E903BFAB12665B3E42D1B9ECCFB54D0
                                                                                                                                                                                                                                                                      SHA-256:B75A76C1C71E981D5299E2A8F85D317D14DA91FD79A615C70EF14876EBC9557D
                                                                                                                                                                                                                                                                      SHA-512:B9B93ED7F99E8B96EFB85A4DC9A8CEE9F7057B87DA9C2A1FE82FE8CD308F89C42E76E9170BB429999E1D985AF7847463B8C60173C44413685472E0B5E2306324
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241123184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241123184215Z....20241130184215Z0...*.H................m.iQ...1..L....W..,dJ?..0|.R}......t@.U..6.....q.*...XbF.._+_Q...X.fx.m...J..e.4.Lh.._D!.$.......(T.P._.d...A....&R.?H..#)buHT...a..a.+.D..z...cH...;..\.m....D..R5..k.+ci!=dR.\..z.4q...i.Rj.M...A..=./..J*%?m"..+\....q.D.J.",3.....0p)+.OF.r]..'....}...cN..^8s....v.|O........:.<TK.f.I.....B...=.}sU.Y....E.h...&.....S......C...l..9...&h..H....$]....w....n2n....a5.{..a......|..!v...C..3......s.2.,.......B..{!]...7..}.M[3X*..&.y.................@{.f.Y7*)w..6.dh.b]@...!.c.5...r..7m..

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1428
                                                                                                                                                                                                                                                                      Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                                      MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                                      SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                                      SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                                      SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):306
                                                                                                                                                                                                                                                                      Entropy (8bit):3.488450032440544
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKqMrs0d5DRAUSW0P3PeXJUwh8lmi36lImJGelN:BrHd51xSW0P3PeXJUZ6NXlN
                                                                                                                                                                                                                                                                      MD5:047E6C67EE6A3B5562405DD86FCD05EB
                                                                                                                                                                                                                                                                      SHA1:09EB23A836870DF1ED1A0EE6FA325775CBB6B384
                                                                                                                                                                                                                                                                      SHA-256:5A909406B622F274F61C37818D47DBCBA4E5CAD17EC484BB74EF08F143F2771F
                                                                                                                                                                                                                                                                      SHA-512:32200E8675B1E70F0137AE103B8BBB2B7B85DEE632790E7B1B015DE29C7B9BFF28656EFC3467A874311C0183C01AA8540803D5E81A4F785CDA87981D16E80084
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ........ B.....(.................................................Jv&C.. .........e..=.. ..."...............h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.7.4.1.d.5.5.d.-.1.b.1.9.a."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):306
                                                                                                                                                                                                                                                                      Entropy (8bit):3.269654141273453
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKHOM4A3H5DhOAUSW0P3PeXJUwh8lmi36lImJGelN:/OLAX5wxSW0P3PeXJUZ6NXlN
                                                                                                                                                                                                                                                                      MD5:58E0427D15BE426F5BC4E734AB730F8F
                                                                                                                                                                                                                                                                      SHA1:D4CBB7F75C1A7DA64A615C4F7430E3DCF9DCF964
                                                                                                                                                                                                                                                                      SHA-256:AC3F2A1B41663877524775495D8DE5B5EB583F39E6BCE0461D5D4DF32CA111CF
                                                                                                                                                                                                                                                                      SHA-512:67C4396DA6F427854D9F0B0EDE8405140A1AFDD95F7128DDF42A81FA0E4F757574F448166ACF6F2A75AEC43EE1BDB3EDBA016383B70B0183BA09E24D7687D905
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ........c..)O...(....................................................... .........e..=.. ..."...............h.t.t.p.:././.c.r.l.4...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.7.4.1.d.5.5.d.-.1.b.1.9.a."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):338
                                                                                                                                                                                                                                                                      Entropy (8bit):3.461007218574996
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKBhtK8T8JFN+SkQlPlEGYRMY9z+s3Ql2DUevat:5K03kPlE99SCQl2DUevat
                                                                                                                                                                                                                                                                      MD5:0E36BD516F9B04BFA344508612D7D96F
                                                                                                                                                                                                                                                                      SHA1:40D97F9E914C0FBA1B3E0021F19E739074E4990C
                                                                                                                                                                                                                                                                      SHA-256:5FAB749EC790C95B2D932B4EB763FFAE1A486B2DD86E3B613D84EF5E9B7EB6EA
                                                                                                                                                                                                                                                                      SHA-512:6E27CEF02E18F0B3E5E526336FD30465AA9382E10B80EDB2F2DEA64D5A5D5EEDB9CF3AC1F0897647071EB15FB72548592AC866AEAB15B1BC13CD1D8A05A88F5E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ........a.Y-'{..(...............................................V.X..>.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):400
                                                                                                                                                                                                                                                                      Entropy (8bit):3.9568567812445976
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kK6klvWhqXlF3s8xXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:S0Xn3NnmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                                                      MD5:7F37F145E9EABCCC0DB6126FD3F6AF05
                                                                                                                                                                                                                                                                      SHA1:183A74F8DD5E7E0D2AA098EA363DFB113D5BBA0D
                                                                                                                                                                                                                                                                      SHA-256:F996DDAE637F323C4824B844B982215E80B78123A2BCB68642118014AD634A81
                                                                                                                                                                                                                                                                      SHA-512:90354D24E4ED305B4A7C67B49612DF7F21F292D00A68BC21AD187D3A784A9578DBF23790F7B259774925F91577507D0B5C9400124AC40A661A814B8BF7D33624
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... .........j..Y>..(................~...=....o.ZC....................o.ZC.. ..........LW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):290
                                                                                                                                                                                                                                                                      Entropy (8bit):2.96942707846688
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKTnDL9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:Ln2D9LNkPlE99SNxAhUe/
                                                                                                                                                                                                                                                                      MD5:7365C9454EFCA80958B3084C016C9820
                                                                                                                                                                                                                                                                      SHA1:C296D0AA3CD9583E2DFB85047F38FED621B20193
                                                                                                                                                                                                                                                                      SHA-256:69AD353009635C64C649830AC7151F35E11F10C2426A304934D378FFC6389A1E
                                                                                                                                                                                                                                                                      SHA-512:EEAB6EB0A746FD470EB0778FB6BFC024E2A24BB041A460DB832E202B3DFDD2786910F48C0E90B83DC798BC05C15AAC67645D6DBA6DD4A48A02FD81F4FAF57AF8
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... .........'YId>..(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):404
                                                                                                                                                                                                                                                                      Entropy (8bit):3.5308065053259567
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kK3Yr+y4YfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSikKYlF:++UmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                                                      MD5:D5C879F5E11C1689DD0D4FAD27587E94
                                                                                                                                                                                                                                                                      SHA1:B617AAA8A1B7F77B84D440F408AC29DD92BDDDF7
                                                                                                                                                                                                                                                                      SHA-256:88E71BA07DDA376154D5EC5B0796E9E06F9DA427E170CAC41F1CEDFC83D0FEC4
                                                                                                                                                                                                                                                                      SHA-512:89DB0D0C4667BFBF2396519F8F88C1438929DD2A82B329230E8D894E40E949266CA56DE64AE5F6A86707DC58CAD52B60379B31C4ED4A8A3B202670927A2CA738
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... .... ...g..mX...(....................................................... ...........O>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):248
                                                                                                                                                                                                                                                                      Entropy (8bit):3.032611618918961
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:kkFklVxCzL/tfllXlE/xZ/JtINRR8WXdA31y+NW0y1YbXKw+l1M7GlWB5lL1AWl/:kKZn/oZ/8FAUSW0PTKDXM6lWTJ
                                                                                                                                                                                                                                                                      MD5:579EB8847911C354216138F61418CF66
                                                                                                                                                                                                                                                                      SHA1:DB1CFB670553C0240DDEA19643C30783F5905B70
                                                                                                                                                                                                                                                                      SHA-256:0146D165D4CB2BA1159B6293FB0882679D47A462DB74E4AE39917E55B166B677
                                                                                                                                                                                                                                                                      SHA-512:172B296DFF740E0F5FBCCA0522619360B4E01C6F0D5FE5C08451747CC6649F1A4535FA180AD75DD16C55E20C6B160106E32F4D29799441ACAB730BCF4D1ACF90
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ....f...,..'F...(....................................................... ........T.~.:.. ...................h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.l...".6.7.3.d.0.d.e.d.-.2.e.1."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):308
                                                                                                                                                                                                                                                                      Entropy (8bit):3.209426106240946
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kK/XfzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:X6tWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                                      MD5:8054A1CFEF4B2EF4F1CCCC7D282CAB7A
                                                                                                                                                                                                                                                                      SHA1:9E2D8D884B62BF0F9485D288288A8979690AA3FB
                                                                                                                                                                                                                                                                      SHA-256:767DE2AD8224741F12929D5496AD25C65C82B0AFA9B4D552244ADD51F4F82D57
                                                                                                                                                                                                                                                                      SHA-512:4EB2C3B99B2390693F6C7E12646F187CD20F882F64FE93FEDF9B395A9709F62C8D98C5143A6BB2765BB181C16A989EDA60DBCE1038E2D813741B74D794579AB5
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... .........|.?c>..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):412
                                                                                                                                                                                                                                                                      Entropy (8bit):3.513455753789183
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKSDsFkISfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:MwfSmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                      MD5:7E5C0D6F48440D72919A6A3B93BAD0E0
                                                                                                                                                                                                                                                                      SHA1:588F1D846CD8DD4CFD2B35B4A2B31CFAA1C5BC2C
                                                                                                                                                                                                                                                                      SHA-256:8C71ABFB86B7C239EC1298633A9280691718052ABABB52F9C4821A1045FDBD28
                                                                                                                                                                                                                                                                      SHA-512:42ABE8D2C6BE6CAF747D8F13DC0AB3101CCDE444AA439C97A5F4B40D7F6BF68BDC2E877C18514730E4313F6D351896A075C8CAE3C18ADD690CB6AD52D071D47C
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ....(....TQP[...(....................................................... .........AW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):254
                                                                                                                                                                                                                                                                      Entropy (8bit):3.037544006617331
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:kKWPhLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:2LYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                                      MD5:4C5029CBD5F051B915F7D21305457DE6
                                                                                                                                                                                                                                                                      SHA1:65625A52E7BB190B1F309C1BB9CB4DF7CBAC7D19
                                                                                                                                                                                                                                                                      SHA-256:7DCA71821C966B3D87834638180C5905273FA22333E730EFAC91D72072950D46
                                                                                                                                                                                                                                                                      SHA-512:39E52820618F1227452EC48E36303CFE878870EDC9A6E008969BF625778DC53A8C63F2FBEC21E5A16E8F7FC870D92EC71645EEB2C0F450BD8B4269D0A4D00D06
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:p...... ....l...8...c>..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1944
                                                                                                                                                                                                                                                                      Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                                                      MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                                                      SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                                                      SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                                                      SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF47766066B75C798D.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                                                      Entropy (8bit):0.1406547166871852
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:CnkuvzmipVfedGSadGS7qIipVGedGSadGSAVPwGDFlrkgOHhZ+kNA:CnkubmStedGPdGeqISoedGPdGftbr+v
                                                                                                                                                                                                                                                                      MD5:59AE8B763ED957D95D42D346C5562B41
                                                                                                                                                                                                                                                                      SHA1:014F724240AEA96B5D56266EDACF9B68178E38F3
                                                                                                                                                                                                                                                                      SHA-256:1477082F7BA6D3D57085C699BD5EF8383133FF2B7994096F97DD3A3D6C044BD4
                                                                                                                                                                                                                                                                      SHA-512:87DD986C2D8BACC79FB8D20E4597E898B7B63654B54860484E39D0D393E25C58D2396490EAE06DE3290D6777431884B36E10773B9DF5BFBDC9820A81F52C4A80
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF47766066B75C798D.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF610224CE4F91896E.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):0.07050739689281887
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOX6bnhsKh6QAnt4Vky6lw:2F0i8n0itFzDHFX676KYVBw
                                                                                                                                                                                                                                                                      MD5:E11DA859720286F6ABCEF7E2CF3CA03C
                                                                                                                                                                                                                                                                      SHA1:1AD7816403310695740ABB148D4AB02F86FDB58F
                                                                                                                                                                                                                                                                      SHA-256:D2D40E4403D717C046E762257F9C69606EA631F0CFDF7687E7E212A22711E5B9
                                                                                                                                                                                                                                                                      SHA-512:EB61FE6FBFF4F7120F8D8F1F318427C00E698522389D523C662499B778C05C5ABE3753D017DEF4D961C9F08739917AC5D2DB53D16AEBEDD59C5889B2B8EAE117
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF6A4DE52DC2399F9D.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                                      Entropy (8bit):1.5595193746557166
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:tJ8Ph3uRc06WXJeFT56eqISoedGPdGftbr+2StedGPdGRub8n:Ch311FTk7IF2o4
                                                                                                                                                                                                                                                                      MD5:B151EB90B9F5430C1E7C504DA3CBB345
                                                                                                                                                                                                                                                                      SHA1:C0530FDEEF5291920F1F28F75464776288ABF2F5
                                                                                                                                                                                                                                                                      SHA-256:1EAD095C998EDF8A0D97CA1D1F39A437E233E9EDDE224080BA9F720102AD96B3
                                                                                                                                                                                                                                                                      SHA-512:6A56D74798F716912A7BE403724E895147577A563CE6192D340A8D7D0EB8AC46879FFC32DEDD3630EA7DE307221E44EE6716D3B5E0830080454D443AC4F40457
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6A4DE52DC2399F9D.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF7B5BC7245F2550A2.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):1.2490292654362287
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:MCgvuk6PveFXJfT56eqISoedGPdGftbr+2StedGPdGRub8n:QvJ3Tk7IF2o4
                                                                                                                                                                                                                                                                      MD5:5218C79513C397D0FB332820811D2E7C
                                                                                                                                                                                                                                                                      SHA1:EFB92167173387284C333C8B7C010F31B7B4262B
                                                                                                                                                                                                                                                                      SHA-256:D92025D058A4DBB43029430E4558A51DBD14FA513C3D1C181C7F497FF005EE20
                                                                                                                                                                                                                                                                      SHA-512:04E5C3F501C935A536CAAE8FA8878C044CBC6FA22DAEF77A9A52F882CF9476CE8FDEE1F32DDA8960CC51E976A4CCB81469E6B4564E1D59AE44C69E04458EB8D3
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7B5BC7245F2550A2.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF92B08A0855196A93.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                                                      Entropy (8bit):1.5595193746557166
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:tJ8Ph3uRc06WXJeFT56eqISoedGPdGftbr+2StedGPdGRub8n:Ch311FTk7IF2o4
                                                                                                                                                                                                                                                                      MD5:B151EB90B9F5430C1E7C504DA3CBB345
                                                                                                                                                                                                                                                                      SHA1:C0530FDEEF5291920F1F28F75464776288ABF2F5
                                                                                                                                                                                                                                                                      SHA-256:1EAD095C998EDF8A0D97CA1D1F39A437E233E9EDDE224080BA9F720102AD96B3
                                                                                                                                                                                                                                                                      SHA-512:6A56D74798F716912A7BE403724E895147577A563CE6192D340A8D7D0EB8AC46879FFC32DEDD3630EA7DE307221E44EE6716D3B5E0830080454D443AC4F40457
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF92B08A0855196A93.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DF9D0DB2C030910D25.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):1.2490292654362287
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:MCgvuk6PveFXJfT56eqISoedGPdGftbr+2StedGPdGRub8n:QvJ3Tk7IF2o4
                                                                                                                                                                                                                                                                      MD5:5218C79513C397D0FB332820811D2E7C
                                                                                                                                                                                                                                                                      SHA1:EFB92167173387284C333C8B7C010F31B7B4262B
                                                                                                                                                                                                                                                                      SHA-256:D92025D058A4DBB43029430E4558A51DBD14FA513C3D1C181C7F497FF005EE20
                                                                                                                                                                                                                                                                      SHA-512:04E5C3F501C935A536CAAE8FA8878C044CBC6FA22DAEF77A9A52F882CF9476CE8FDEE1F32DDA8960CC51E976A4CCB81469E6B4564E1D59AE44C69E04458EB8D3
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9D0DB2C030910D25.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFA53762D421BE0DA2.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFAFB3817246595346.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFD6287FB4F7B1D804.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):1.2490292654362287
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:MCgvuk6PveFXJfT56eqISoedGPdGftbr+2StedGPdGRub8n:QvJ3Tk7IF2o4
                                                                                                                                                                                                                                                                      MD5:5218C79513C397D0FB332820811D2E7C
                                                                                                                                                                                                                                                                      SHA1:EFB92167173387284C333C8B7C010F31B7B4262B
                                                                                                                                                                                                                                                                      SHA-256:D92025D058A4DBB43029430E4558A51DBD14FA513C3D1C181C7F497FF005EE20
                                                                                                                                                                                                                                                                      SHA-512:04E5C3F501C935A536CAAE8FA8878C044CBC6FA22DAEF77A9A52F882CF9476CE8FDEE1F32DDA8960CC51E976A4CCB81469E6B4564E1D59AE44C69E04458EB8D3
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD6287FB4F7B1D804.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFE0A875DB61BC3BA3.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFED5477949DBBDA3C.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\Temp\~DFF36E3B3E3AD7D070.TMP

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      \Device\ConDrv

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):456
                                                                                                                                                                                                                                                                      Entropy (8bit):5.382811024355652
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:Y0rsShlOS0+3dYIqhQO2xOiS0g5pGE3rTP7nR/TSj:Y0rBBtD/vgiEXPl/c
                                                                                                                                                                                                                                                                      MD5:8422C18082D3D52EB95BD8CAB8E02D57
                                                                                                                                                                                                                                                                      SHA1:E92370906B1AF288F50193318289F98C22278705
                                                                                                                                                                                                                                                                      SHA-256:E1B7247071A67778477F71C6C109C55AA2B210F6DE4CB470A1B6F349AACA4780
                                                                                                                                                                                                                                                                      SHA-512:5A39B81EBE575D3CD46E25E30C2615EB6F6A8189EA4A7CC541A7EE0B6F83561FDDEA2CE7572BED37D2020311099D4675FE6607B1A5348929694E4CA840EC56F1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:{"PackageName":"AgentPackageAgentInformation","ExecutableCommandArgs":["minimalIdentification"],"Data":{"AccountId":"001Q300000O3Ui7IAF","UserLogin":"pjt145.chef@elbayrak.com","MachineName":"138727","CustomerId":"1","FolderId":"","IsMinimalIdentification":true,"UniqueMachineIdentifier":"wuzX8gTJwRn1e7dGcpNszZLD4b9B9AIjvH8Yr1fg54c=","OsType":"Windows"},"CommandId":"16904213-f096-40ec-9bf1-11c4695deea3","AgentId":"883f7d62-963d-4a4e-aadf-4ee8e577d238"}..

                                                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                      Entropy (8bit):7.878659756548679
                                                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                                                      • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                                                      • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                                                      File name:e0#U05ea.msi
                                                                                                                                                                                                                                                                      File size:2'994'176 bytes
                                                                                                                                                                                                                                                                      MD5:37d7404f46d43eac22991c947cc7b1f0
                                                                                                                                                                                                                                                                      SHA1:abcc8525564e8264b539d685e826f957c12ef70d
                                                                                                                                                                                                                                                                      SHA256:06ffaabe4a1829177f078d1e6ad6bbc6af79d16729abcc8a21e4ec854448bb3d
                                                                                                                                                                                                                                                                      SHA512:17ba13c5306b76f41bf3467dd59d0de54c052789750efcf23f7e674f027fb53ccd1a1e5749be035f9a2c77dc8945ccc24444d20a838055daad611c578828263c
                                                                                                                                                                                                                                                                      SSDEEP:49152:++1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:++lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                      TLSH:E7D523117584483AE37B0A358D7ADAA05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                      2024-11-24T11:15:51.050611+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.104977613.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:16:35.984255+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.104988313.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:16:47.004689+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.104991413.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:16:54.207757+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.104993513.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:00.277308+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.104995613.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:03.728861+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.104997013.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:09.629152+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.104999313.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:16.645622+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.105002713.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:22.433110+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.105004913.232.67.198443TCP
                                                                                                                                                                                                                                                                      2024-11-24T11:17:28.077033+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.105007213.232.67.198443TCP

                                                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.364120007 CET49750443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.364161015 CET4434975013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.364278078 CET49750443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.438066006 CET49750443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.438088894 CET4434975013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.526890039 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.526916027 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.527101040 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.530292034 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.530308008 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.771125078 CET4434975013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.771262884 CET49750443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.775166035 CET49750443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.775178909 CET4434975013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.775609970 CET4434975013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.776849985 CET49750443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.819331884 CET4434975013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.846290112 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.846369028 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.848140955 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.848155975 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.848422050 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.849468946 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:43.895334005 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.290925980 CET4434975013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.290990114 CET4434975013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.291369915 CET49750443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.335695982 CET49750443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.360523939 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.407727003 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.407754898 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.408469915 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.408565998 CET4434975113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.408617020 CET49751443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.590106964 CET49761443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.590136051 CET4434976113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.591121912 CET49761443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.595393896 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.595422029 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.596263885 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.596939087 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.596952915 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.597024918 CET49761443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:44.597040892 CET4434976113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.912594080 CET4434976113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.912719011 CET49761443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.914762020 CET49761443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.914786100 CET4434976113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.915056944 CET4434976113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.916565895 CET49761443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.959338903 CET4434976113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.974847078 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.974939108 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.976902962 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.976913929 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.977180004 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:46.978214025 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.019332886 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.432557106 CET4434976113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.432624102 CET4434976113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.432801962 CET49761443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.502981901 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.503002882 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.503071070 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.503079891 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.503098965 CET4434976213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.503145933 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.503855944 CET49762443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:47.801422119 CET49761443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.053167105 CET49776443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.053215027 CET4434977613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.053277016 CET49776443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.053883076 CET49776443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.053916931 CET4434977613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.054366112 CET49777443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.054414034 CET4434977713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.054475069 CET49777443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.054735899 CET49777443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.054750919 CET4434977713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.498528004 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.498573065 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.498647928 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.498989105 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.499003887 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.320828915 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.321000099 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.323004961 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.323018074 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.323268890 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.324275970 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.367327929 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.453052044 CET4434977713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.454519033 CET49777443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.454550028 CET4434977713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.526614904 CET4434977613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.528073072 CET49776443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:50.528090954 CET4434977613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.027493954 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.050419092 CET4434977613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.050497055 CET4434977613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.050643921 CET49776443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.051219940 CET49776443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.067087889 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.067114115 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.067167997 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.067199945 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.067212105 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.067245007 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.255841970 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.255944014 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.255966902 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.255995035 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.256002903 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.256050110 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.256050110 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.301234961 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.301287889 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.301383972 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.301383972 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.301398993 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.301450968 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.422904015 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.422930002 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.423173904 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.423202038 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.423285961 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.446202993 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.446223021 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.446306944 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.446321011 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.446368933 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.471307993 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.471342087 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.471453905 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.471465111 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.471527100 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.476686001 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.476779938 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.492997885 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.493022919 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.493107080 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.493124962 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.493170977 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.614042997 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.614101887 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.614131927 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.614145041 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.614154100 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.614176989 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.632220030 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.632261038 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.632277966 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.632308960 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.632322073 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.632342100 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.641210079 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.641227961 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.641280890 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.641309023 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.641318083 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.641360044 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.655853987 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.655872107 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.655924082 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.655953884 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.655965090 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.656003952 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.669291019 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.669306040 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.669378996 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.669411898 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.669473886 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.682694912 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.682712078 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.682774067 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.682806969 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.682816029 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.682852983 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.694859982 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.694876909 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.694933891 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.694958925 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.694983006 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.694989920 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.796307087 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.796340942 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.796458960 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.796482086 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.796521902 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.805768967 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.805823088 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.805902958 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.805929899 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.805947065 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.805967093 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.816663980 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.816692114 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.816793919 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.816803932 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.816845894 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.823935032 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.824002028 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.824059963 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.824069977 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.824106932 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.833858013 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.833884954 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.834002018 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.834018946 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.842437983 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.842466116 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.842504978 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.842518091 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.842541933 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.851578951 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.851603985 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.851691961 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.851706028 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.861501932 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.861527920 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.861582041 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.861592054 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.861635923 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.871135950 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.871156931 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.871284008 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.871301889 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.923441887 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.988823891 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.988903999 CET44349778108.158.75.93192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.988938093 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.988985062 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:51.989387035 CET49778443192.168.2.10108.158.75.93
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.054999113 CET49883443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.055082083 CET4434988313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.055160046 CET49883443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.055775881 CET49883443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:33.055794001 CET4434988313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.430262089 CET4434988313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.459214926 CET49883443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.459225893 CET4434988313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.984294891 CET4434988313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.984390020 CET4434988313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.984455109 CET49883443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.986160994 CET49883443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.987402916 CET49890443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.987454891 CET4434989013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.987545967 CET49890443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.987848997 CET49890443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:35.987862110 CET4434989013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.308135986 CET4434989013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.317707062 CET49890443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.317727089 CET4434989013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.871280909 CET4434989013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.871382952 CET4434989013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.871433020 CET49890443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:38.872306108 CET49890443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:43.958941936 CET4434977713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:43.959012032 CET4434977713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:43.959072113 CET49777443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:43.959089994 CET4434977713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:43.959147930 CET4434977713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:43.959197044 CET49777443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.004712105 CET49777443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.164231062 CET49914443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.164251089 CET4434991413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.164300919 CET49914443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.165978909 CET49915443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.165998936 CET4434991513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.166059017 CET49915443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.166395903 CET49915443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.166413069 CET4434991513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.167035103 CET49914443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:44.167046070 CET4434991413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:46.489078045 CET4434991413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:46.491576910 CET49914443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:46.491590977 CET4434991413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:46.553436995 CET4434991513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:46.555757046 CET49915443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:46.555785894 CET4434991513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:47.004687071 CET4434991413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:47.004769087 CET4434991413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:47.005197048 CET49914443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:47.005709887 CET49914443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.362499952 CET49915443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.362699986 CET4434991513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.362802029 CET49915443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.369658947 CET49935443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.369704008 CET4434993513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.369802952 CET49935443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.370101929 CET49935443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.370119095 CET4434993513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.371144056 CET49936443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.371184111 CET4434993613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.371254921 CET49936443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.371500969 CET49936443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:51.371517897 CET4434993613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.691524029 CET4434993513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.691632032 CET49935443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.693742990 CET49935443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.693751097 CET4434993513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.694084883 CET4434993513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.695136070 CET49935443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.739326954 CET4434993513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.824995995 CET4434993613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.825159073 CET49936443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.826735973 CET49936443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.826746941 CET4434993613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.827533960 CET4434993613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.831425905 CET49936443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:53.879338980 CET4434993613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.207715034 CET4434993513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.207817078 CET4434993513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.207870007 CET49935443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.208658934 CET49935443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.209505081 CET49944443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.209543943 CET4434994413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.209599018 CET49944443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.209822893 CET49944443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.209839106 CET4434994413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.366367102 CET4434993613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.366744995 CET4434993613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.370557070 CET49936443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.377537966 CET49936443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.378369093 CET49945443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.378405094 CET4434994513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.378559113 CET49945443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.378849983 CET49945443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:54.378860950 CET4434994513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.655821085 CET4434994413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.657139063 CET49944443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.657151937 CET4434994413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.763181925 CET4434994513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.768174887 CET49945443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:56.768193960 CET4434994513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.191318989 CET4434994413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.191392899 CET4434994413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.191463947 CET49944443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.192337990 CET49944443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.193530083 CET49955443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.193576097 CET4434995513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.193665028 CET49955443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.193998098 CET49955443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.194010973 CET4434995513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.256350994 CET49955443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.257034063 CET49945443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.257186890 CET4434994513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.257256031 CET49945443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.264702082 CET49956443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.264731884 CET4434995613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.264806986 CET49956443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.265595913 CET49956443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.265608072 CET4434995613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.287755013 CET49957443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.287776947 CET4434995713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.287908077 CET49957443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.289007902 CET49957443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.289016962 CET4434995713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.303330898 CET4434995513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.758132935 CET4434995513.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.758229017 CET49955443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.758229017 CET49955443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.758275986 CET4434995713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.758367062 CET49957443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.760829926 CET49957443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.760839939 CET4434995713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.760843992 CET4434995613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.760936975 CET49956443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.761130095 CET4434995713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.762702942 CET49957443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.762955904 CET49956443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.762969017 CET4434995613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.763889074 CET4434995613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.765088081 CET49956443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.768491030 CET49957443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.768528938 CET4434995713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.768583059 CET49957443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.769411087 CET49966443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.769445896 CET4434996613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.769501925 CET49966443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.769825935 CET49966443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.769840002 CET4434996613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:59.807334900 CET4434995613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.277312994 CET4434995613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.277388096 CET4434995613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.277580023 CET49956443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.278542995 CET49956443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.694554090 CET49970443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.694578886 CET4434997013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.694889069 CET49970443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.698543072 CET49970443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:00.698556900 CET4434997013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:01.896802902 CET49966443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:01.898866892 CET49974443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:01.898921013 CET4434997413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:01.898977041 CET49974443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:01.899447918 CET49974443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:01.899460077 CET4434997413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:01.943325043 CET4434996613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.015872002 CET4434996613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.016007900 CET49966443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.016007900 CET49966443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.210174084 CET49974443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.210177898 CET49977443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.210208893 CET4434997713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.210710049 CET49977443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.214556932 CET49977443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.214570999 CET4434997713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:02.255325079 CET4434997413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.091178894 CET4434997013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.091248989 CET49970443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.165883064 CET49970443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.165915966 CET4434997013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.166228056 CET4434997013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.204521894 CET49970443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.247335911 CET4434997013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.728843927 CET4434997013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.728914976 CET4434997013.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.728970051 CET49970443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.729697943 CET49970443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.731038094 CET49982443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.731069088 CET4434998213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.731126070 CET49982443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.731450081 CET49982443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:03.731460094 CET4434998213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.291485071 CET4434997413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.291588068 CET49974443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.291588068 CET49974443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.878177881 CET4434997713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.878263950 CET49977443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.880208015 CET49977443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.880219936 CET4434997713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.880546093 CET4434997713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.881876945 CET49977443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:04.927330971 CET4434997713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.413259983 CET4434997713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.413430929 CET4434997713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.413494110 CET49977443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.414088964 CET49977443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.415385962 CET49988443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.415417910 CET4434998813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.415548086 CET49988443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.415863037 CET49988443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:05.415877104 CET4434998813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.198522091 CET4434998213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.200050116 CET49982443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.200062990 CET4434998213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.781193972 CET4434998213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.781275034 CET4434998213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.781564951 CET49982443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.782217979 CET49982443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.783293962 CET49993443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.783337116 CET4434999313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.783505917 CET49993443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.784640074 CET49993443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:06.784655094 CET4434999313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.738229036 CET4434998813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.739593983 CET49988443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.739623070 CET4434998813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.252851963 CET4434998813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.253015041 CET4434998813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.253135920 CET49988443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.254098892 CET49988443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.254821062 CET50002443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.254864931 CET4435000213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.255017996 CET50002443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.255270958 CET50002443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:08.255285978 CET4435000213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.099302053 CET4434999313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.101885080 CET49993443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.101902008 CET4434999313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.629246950 CET4434999313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.629401922 CET4434999313.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.629467964 CET49993443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.630178928 CET49993443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.631674051 CET50007443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.631716967 CET4435000713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.631870985 CET50007443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.632160902 CET50007443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.632174015 CET4435000713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.382452011 CET4435000213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.384654045 CET50002443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.384680033 CET4435000213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.898694992 CET4435000213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.898761988 CET4435000213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.898983955 CET50002443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.900496960 CET50002443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.900501966 CET50014443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.900533915 CET4435001413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.900846004 CET50014443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.901209116 CET50014443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:10.901218891 CET4435001413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.071075916 CET4435000713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.076169014 CET50007443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.076200008 CET4435000713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.652364016 CET4435000713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.705255032 CET50007443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.705276966 CET4435000713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.706516027 CET50007443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.706516027 CET50021443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.706568956 CET4435002113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.706645012 CET4435000713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.706667900 CET50021443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.706736088 CET50007443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.707062960 CET50021443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:12.707076073 CET4435002113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.221193075 CET4435001413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.221457958 CET50014443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.223974943 CET50014443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.223989964 CET4435001413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.224314928 CET4435001413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.225897074 CET50014443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.271325111 CET4435001413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.736555099 CET4435001413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.736619949 CET4435001413.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.736685038 CET50014443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.737138033 CET50014443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.738111019 CET50027443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.738162041 CET4435002713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.738311052 CET50027443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.738538980 CET50027443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:13.738555908 CET4435002713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.086566925 CET4435002113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.086688042 CET50021443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.090003014 CET50021443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.090013027 CET4435002113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.090270996 CET4435002113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.091331005 CET50021443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:15.139336109 CET4435002113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.119657040 CET4435002713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.124131918 CET50027443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.124146938 CET4435002713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.645647049 CET4435002713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.645759106 CET4435002713.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.645859957 CET50027443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.647197962 CET50027443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.647200108 CET50036443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.647253036 CET4435003613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.647595882 CET50036443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.648874044 CET50036443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:16.648889065 CET4435003613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.960921049 CET4435003613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.964699030 CET50036443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:18.964711905 CET4435003613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.484831095 CET4435003613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.533448935 CET50036443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.533478975 CET4435003613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.534025908 CET50036443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.534092903 CET4435003613.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.534154892 CET50036443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.535253048 CET50049443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.535293102 CET4435004913.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.535366058 CET50049443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.535630941 CET50049443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:19.535644054 CET4435004913.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.907943964 CET4435004913.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.908014059 CET50049443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.911531925 CET50049443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.911545038 CET4435004913.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.911884069 CET4435004913.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.912995100 CET50049443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.955368996 CET4435004913.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.433115959 CET4435004913.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.433197021 CET4435004913.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.434731960 CET50049443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.435172081 CET50049443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.438699007 CET50058443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.438730001 CET4435005813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.439017057 CET50058443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.442688942 CET50058443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:22.442703009 CET4435005813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:24.623155117 CET4435005813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:24.624459982 CET50058443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:24.624470949 CET4435005813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.156723022 CET4435005813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.156929970 CET4435005813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.157030106 CET50058443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.164001942 CET50058443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.164947033 CET50072443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.164983034 CET4435007213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.165075064 CET50072443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.165429115 CET50072443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:25.165443897 CET4435007213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:27.476350069 CET4435007213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:27.562640905 CET50072443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:27.562661886 CET4435007213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.077132940 CET4435007213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.077373028 CET4435007213.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.080849886 CET50072443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.081373930 CET50072443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.081382990 CET50078443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.081427097 CET4435007813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.084867001 CET50078443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.088788033 CET50078443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:28.088804960 CET4435007813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.408447981 CET4435007813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.410718918 CET50078443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.410744905 CET4435007813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.948940992 CET4435007813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.995742083 CET50078443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.995763063 CET4435007813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.996222973 CET50078443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.996284008 CET4435007813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.996483088 CET4435007813.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.996579885 CET50078443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.996579885 CET50078443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.996639013 CET50081443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.996692896 CET4435008113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.996766090 CET50081443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.997035980 CET50081443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:30.997056007 CET4435008113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.398401022 CET4435008113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.398505926 CET50081443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.400562048 CET50081443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.400572062 CET4435008113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.401048899 CET4435008113.232.67.198192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.401964903 CET50081443192.168.2.1013.232.67.198
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:33.443351030 CET4435008113.232.67.198192.168.2.10

                                                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:26.369442940 CET6301153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:38.112426043 CET5982453192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.216725111 CET5478653192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.260096073 CET5924253192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.353924990 CET53547861.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.411232948 CET6354553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.051074028 CET5173253192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.497090101 CET53517321.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:52.986774921 CET5292353192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:40.925534964 CET5131953192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:49.174875975 CET5768053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.296565056 CET5478553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.182714939 CET6372453192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.729038000 CET5578053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.046807051 CET6173353192.168.2.101.1.1.1

                                                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:26.369442940 CET192.168.2.101.1.1.10xf44eStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:38.112426043 CET192.168.2.101.1.1.10x41c0Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.216725111 CET192.168.2.101.1.1.10xfa51Standard query (0)ps.pndsn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.260096073 CET192.168.2.101.1.1.10x1dbbStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.411232948 CET192.168.2.101.1.1.10x2534Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.051074028 CET192.168.2.101.1.1.10x3eacStandard query (0)ps.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:52.986774921 CET192.168.2.101.1.1.10x5da7Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:40.925534964 CET192.168.2.101.1.1.10x5960Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:49.174875975 CET192.168.2.101.1.1.10x7673Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.296565056 CET192.168.2.101.1.1.10xe2d7Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.182714939 CET192.168.2.101.1.1.10x41a2Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.729038000 CET192.168.2.101.1.1.10xae84Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.046807051 CET192.168.2.101.1.1.10x1971Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:26.508471966 CET1.1.1.1192.168.2.100xf44eNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:33.342550039 CET1.1.1.1192.168.2.100xea08No error (0)windowsupdatebg.s.llnwi.net178.79.238.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:33.342550039 CET1.1.1.1192.168.2.100xea08No error (0)windowsupdatebg.s.llnwi.net178.79.238.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:34.946270943 CET1.1.1.1192.168.2.100xc7c4No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:34.946270943 CET1.1.1.1192.168.2.100xc7c4No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.533381939 CET1.1.1.1192.168.2.100xf51dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.533381939 CET1.1.1.1192.168.2.100xf51dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.599533081 CET1.1.1.1192.168.2.100x783bNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:36.599533081 CET1.1.1.1192.168.2.100x783bNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:38.250102043 CET1.1.1.1192.168.2.100x41c0No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.353924990 CET1.1.1.1192.168.2.100xfa51No error (0)ps.pndsn.com13.232.67.198A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.353924990 CET1.1.1.1192.168.2.100xfa51No error (0)ps.pndsn.com13.232.67.199A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.397042990 CET1.1.1.1192.168.2.100x1dbbNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:41.549189091 CET1.1.1.1192.168.2.100x2534No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.497090101 CET1.1.1.1192.168.2.100x3eacNo error (0)ps.atera.comd25btwd9wax8gu.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.497090101 CET1.1.1.1192.168.2.100x3eacNo error (0)d25btwd9wax8gu.cloudfront.net108.158.75.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.497090101 CET1.1.1.1192.168.2.100x3eacNo error (0)d25btwd9wax8gu.cloudfront.net108.158.75.12A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.497090101 CET1.1.1.1192.168.2.100x3eacNo error (0)d25btwd9wax8gu.cloudfront.net108.158.75.4A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:48.497090101 CET1.1.1.1192.168.2.100x3eacNo error (0)d25btwd9wax8gu.cloudfront.net108.158.75.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:52.289815903 CET1.1.1.1192.168.2.100x61eNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:52.289815903 CET1.1.1.1192.168.2.100x61eNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:15:53.124706030 CET1.1.1.1192.168.2.100x5da7No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:36.931391001 CET1.1.1.1192.168.2.100x8e14No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:36.931391001 CET1.1.1.1192.168.2.100x8e14No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:41.064017057 CET1.1.1.1192.168.2.100x5960No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:49.311728954 CET1.1.1.1192.168.2.100x7673No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:16:57.434542894 CET1.1.1.1192.168.2.100xe2d7No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:07.321975946 CET1.1.1.1192.168.2.100x41a2No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:09.867798090 CET1.1.1.1192.168.2.100xae84No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                      Nov 24, 2024 11:17:21.186778069 CET1.1.1.1192.168.2.100x1971No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                      • ps.pndsn.com
                                                                                                                                                                                                                                                                      • ps.atera.com

                                                                                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      0192.168.2.104975013.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:43 UTC183OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=484b7669-faad-46fb-95da-3f494fe71338&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      2024-11-24 10:15:44 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:44 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:44 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 34 34 30 34 32 33 38 39 31 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324433440423891]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      1192.168.2.104975113.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:43 UTC364OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=828d2fae-bb40-4bf1-b7d4-c9f95f35880c&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      2024-11-24 10:15:44 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:44 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:44 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 34 30 31 33 33 38 31 35 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324433440133815","r":31},"m":[]}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      2192.168.2.104976113.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC183OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5e281e32-d56c-48ee-a94d-f7f921f64993&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      2024-11-24 10:15:47 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:47 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:47 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 34 37 31 38 30 31 38 31 37 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324433471801817]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      3192.168.2.104976213.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:46 UTC386OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de3a19ac-393b-475a-b5ce-07c61aa216d9&tr=31&tt=17324433440133815&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      2024-11-24 10:15:47 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:47 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 1859
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:47 UTC1859INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 36 36 33 35 31 38 34 38 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 66 36 33 66 63 62 38 37 2d 62 66 37 39 2d 34 38 34 61 2d 39 38 37 62 2d 66 66 39 38 63 62 33 38 66 30 38 61 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 36 36 33 35 31 38 34 38 22 2c 22 72 22 3a 32 33 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 38 38 33 66 37 64 36 32 2d 39 36 33 64 2d 34 61 34 65 2d 61 61 64 66 2d 34 65 65 38 65 35 37 37 64 32 33 38 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 65 62 37 61 65 30 66
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324433466351848","r":31},"m":[{"a":"2","f":0,"i":"f63fcb87-bf79-484a-987b-ff98cb38f08a","p":{"t":"17324433466351848","r":23},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"883f7d62-963d-4a4e-aadf-4ee8e577d238","d":{"CommandId":"eb7ae0f


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      4192.168.2.1049778108.158.75.934435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:50 UTC212OUTGET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?MXEuqxTtBtfd+dFjSfn8PupuPxKD+CNuASOYt6ySpA3SYMBPBbjiPgfcFSHiAA/v HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.atera.com
                                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC671INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                      Content-Length: 384542
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-MD5: SgmofSAE2sSwBofpyfFQNg==
                                                                                                                                                                                                                                                                      Last-Modified: Tue, 12 Nov 2024 07:13:54 GMT
                                                                                                                                                                                                                                                                      ETag: 0x8DD02E9910FA268
                                                                                                                                                                                                                                                                      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                      x-ms-request-id: 4f2b2192-601e-007b-57cf-3c3f56000000
                                                                                                                                                                                                                                                                      x-ms-version: 2009-09-19
                                                                                                                                                                                                                                                                      x-ms-lease-status: unlocked
                                                                                                                                                                                                                                                                      x-ms-blob-type: BlockBlob
                                                                                                                                                                                                                                                                      Date: Sat, 23 Nov 2024 11:11:18 GMT
                                                                                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                                                                                      X-Cache: Hit from cloudfront
                                                                                                                                                                                                                                                                      Via: 1.1 e7575e0a4303776f28631da37e0447e6.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: BAH53-P2
                                                                                                                                                                                                                                                                      X-Amz-Cf-Id: k83oWIsV39ol-KHLgwBBZCKZ2jd0jI_QE_oTFhY1LpxdhFkqHz15tQ==
                                                                                                                                                                                                                                                                      Age: 83071
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: 50 4b 03 04 2d 00 09 08 08 00 b9 39 6c 59 b5 ba a1 7d ff ff ff ff ff ff ff ff 3d 00 14 00 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2f 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 65 78 65 01 00 10 00 28 b6 02 00 00 00 00 00 df 1b 01 00 00 00 00 00 e3 12 a7 01 2c f1 1b de 31 c7 8a 39 3e 6b 73 27 36 d0 73 2b 61 ce ce e3 d2 b6 cb 71 21 62 f9 4e 18 e5 1e a6 ed c3 a5 43 de 14 0c f6 81 ff 20 24 ff d5 3a 2d 75 b6 26 8e d9 8b a4 ae e1 2e bd 40 7e 84 03 06 21 73 f7 1f ae 94 a0 7d ab a6 99 3b a0 b8 5f e3 30 9a 41 f2 ec e6 d0 a8 20 53 e8 c2 17 fd 08 50 b9 08 97 28 2f f1 4c 63 d3 c6 76 04 21 b5 c3 d7 bb be b4 9c 43 48 ed cb 7f 13 28 f5 12 6a cb 1b 54 89 c5 9d 34 6d 19 74 79 dc 8f 06
                                                                                                                                                                                                                                                                      Data Ascii: PK-9lY}=AgentPackageAgentInformation/AgentPackageAgentInformation.exe(,19>ks'6s+aq!bNC $:-u&.@~!s};_0A SP(/Lcv!CH(jT4mty
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: f0 b6 9f 02 d6 76 cc ce d9 09 94 a1 26 eb 74 90 a7 fe 9a e0 1d b1 f9 72 42 b0 b7 ff fe 39 89 7c f5 1f 06 8d 10 42 56 d9 13 08 e2 1e d8 65 d9 67 d6 9e a5 ed 34 11 20 6e 6f 77 99 f4 2e 5e ce 9b 4b d2 4f d5 54 f2 c0 de c0 75 c7 a5 c9 62 7e 38 d8 05 2e fc aa 67 fd f2 6a 55 d4 a9 b7 f3 02 91 a2 50 a9 9a b0 9b e0 1b 6f 22 1a af 80 b3 8a 65 25 55 67 b6 03 d4 4b 74 22 db 33 7e e5 c3 d2 a3 dc 40 ea bf d2 9b df de 09 3b 4b 7a 72 a5 c5 6a 55 ce b1 f2 83 54 49 a2 b1 e5 7e da 7c 9a 01 ff 90 0d 77 4d 90 4b a1 5a b2 74 ce aa 9d 81 e9 70 f0 82 30 43 fd fa df fd 3f 8d 48 61 bd 8f fb 5f 89 9a 56 2b 3e 95 86 7a 34 65 a0 6b 9c 17 3d 00 14 62 41 52 f2 ef 9c f8 4a 81 1f 31 38 9e 82 42 67 c8 7b 02 78 04 0b 69 83 eb da 25 7a a1 0e 8b c8 51 a6 6e 66 9d a4 38 8c 58 97 12 7f b0 15
                                                                                                                                                                                                                                                                      Data Ascii: v&trB9|BVeg4 now.^KOTub~8.gjUPo"e%UgKt"3~@;KzrjUTI~|wMKZtp0C?Ha_V+>z4ek=bARJ18Bg{xi%zQnf8X
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: 96 fe 85 11 dd 8d d3 ae f0 08 67 57 7f 06 96 e6 35 8a 97 3a 21 9f 00 cc 25 cf d0 e7 7d 2a dd cd 56 2b 0d 3e 05 db 84 f2 84 83 d4 65 bc 9b 45 1b 69 99 82 c3 a0 18 05 36 a9 e7 4b 8a e5 2a bd 46 58 3c a4 a1 2e c5 e3 da b5 a5 f9 84 58 d4 30 fd 03 3e 84 a3 a8 84 e1 e8 6b 8a a1 b5 49 57 f8 59 c2 a0 80 c8 dd 72 c6 94 85 aa c7 bd 26 ca e2 66 dc 3a ec 7f 98 99 42 18 6c 98 4b ba 4e d8 42 f2 2f fd bc 21 89 4a 50 84 b3 9d fa d5 3e d9 3c 20 91 7d 2e d8 fe c8 1e be 85 63 db 49 11 d7 f7 7b 8f 7a c2 39 6f 7e 7d 1a 86 98 1f da 6b 4a 7e b3 0f d8 99 0b c6 a2 11 e0 f5 32 de f1 9b d6 5f fa 27 80 4f 6e a5 84 70 f6 bc 0a 43 29 4b 6e 3e 00 0c 68 18 16 ab 3e d7 f4 97 5a 14 d0 9d d2 4e 01 fb 2f 0a ca 31 8f 2f a4 fa 21 4e 96 52 db 42 2d 8e d8 18 b5 0a 62 a1 4e a6 56 89 f7 26 8d b6
                                                                                                                                                                                                                                                                      Data Ascii: gW5:!%}*V+>eEi6K*FX<.X0>kIWYr&f:BlKNB/!JP>< }.cI{z9o~}kJ~2_'OnpC)Kn>h>ZN/1/!NRB-bNV&
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: 41 64 50 ca 35 e9 de 0b e0 37 6e 26 d7 3d 22 10 9a 01 a9 57 87 60 df 1a 50 85 78 b5 42 15 26 dc 70 93 89 14 67 fd 25 32 3a 19 22 ba 15 0d b7 92 1f 35 b7 2c 1b c7 dd d3 5f 5e a7 5f c1 51 30 e0 af 93 60 8e 6b 7b a5 87 43 30 6a de b3 3e b9 61 20 e4 ed 0c d6 9c 19 e5 75 32 fc b5 bf e3 09 0a bd 79 92 61 6e 93 46 5d 56 71 c8 be 81 e9 75 7d c7 be 6d fb a5 3a 4f 7c 4d ba 40 2d 48 98 df b3 e5 56 4d 23 23 d4 16 69 23 e7 29 35 4c 5d fa a7 57 d7 fa e5 de 49 87 2e c5 67 a2 b6 fb 45 58 c5 ac be 75 ac fb a6 b1 8a 78 72 7e 53 80 d2 6e 40 36 e0 7d b1 a6 ae e6 bd 67 64 fb 6e 13 37 be d4 c5 1f 5f 70 c6 15 7f 5a ac c0 1e d2 ec 11 d3 43 7e 1b 8a e4 56 7d 30 bf c0 e4 ad 74 4b bf 6d 71 a7 15 a0 b9 d3 d8 90 bf f1 4c 1c f4 3e 8a ec 5f 95 27 b8 e2 39 8e 30 b1 5b f9 8b 87 b8 f3 d7
                                                                                                                                                                                                                                                                      Data Ascii: AdP57n&="W`PxB&pg%2:"5,_^_Q0`k{C0j>a u2yanF]Vqu}m:O|M@-HVM##i#)5L]WI.gEXuxr~Sn@6}gdn7_pZC~V}0tKmqL>_'90[
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: 58 e8 f6 df 2e 03 6a 01 b6 45 ae d4 d7 bc 99 a9 9a 2f 45 ff bd 30 84 22 38 ce 84 98 80 72 18 6d 55 e6 9e b7 86 f7 7e eb 80 84 fd 55 b0 dd 1c b2 c3 2f 75 d6 aa 41 55 9b 79 09 94 d1 66 6f 7b 4f 9c 19 47 1c d9 f0 09 e2 eb c3 cc b2 52 52 aa ce 00 8a 38 ad d6 83 bb 63 67 fd e4 da a0 26 76 75 45 a4 62 cc 43 42 35 02 1d 02 ad 6a 31 0c 7f 1d f4 ca 90 1b 28 c8 48 e4 a1 5c 00 15 f6 b2 e7 37 c8 55 01 3a 6f e3 bc b8 61 92 d2 ac df 4c df e2 ff 5e 04 40 26 5d e9 e7 98 06 a5 7c a5 a6 d3 64 9f 35 75 b6 82 90 93 70 4d 42 4d fd 3a 43 63 ec 28 c0 75 d6 13 28 f8 41 cc 56 3f d3 d1 9a 6c 8b 35 b5 22 b3 23 4f 4c 6b cb 27 42 c0 5a 57 c6 3e 30 b5 ab c5 7e eb 53 f5 ca 11 b1 54 b0 f6 56 55 f4 fb 08 c3 74 45 7f 54 c9 8c e6 d2 a5 11 05 03 a5 e6 13 b2 6c 62 59 b2 eb 43 fa 81 6f a6 4d
                                                                                                                                                                                                                                                                      Data Ascii: X.jE/E0"8rmU~U/uAUyfo{OGRR8cg&vuEbCB5j1(H\7U:oaL^@&]|d5upMBM:Cc(u(AV?l5"#OLk'BZW>0~STVUtETlbYCoM
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: 34 04 1b b1 1b 98 28 77 ac f8 5c 44 d7 13 89 b4 12 7c 2b 83 cb 67 ff b5 2a 5e 56 56 e2 53 0a 2a ef ba 29 c4 00 b7 0f 27 b1 b1 28 fc 14 c9 88 7e 9d 33 eb f2 e8 a1 ae 2a 95 d4 86 32 1a 8a 8b 55 36 73 6f 5d d2 a2 24 d7 45 d6 14 a3 96 1b af 00 09 69 fb e3 90 04 ca 93 5d 3d c2 96 c4 d3 1a 49 d9 ce be e6 dc 05 1d 81 b7 71 1a dd 76 3d 01 eb 04 8a 52 b7 e3 b3 c5 d2 b3 48 a4 11 18 28 66 82 90 d9 40 cb 61 2f 59 d0 6f 04 1b ff aa 95 c8 51 55 73 03 fb d7 30 b5 1e b5 e5 a4 f4 f0 02 d1 19 d5 f7 05 0e 27 3c 1a 62 ef 50 7f f8 d7 0f d3 ac 93 d1 11 47 68 85 7d 69 f7 10 2f b2 b7 33 84 92 b7 0d ad 44 7f a7 77 41 9e e7 c5 68 1a 5a 79 72 69 b4 db 16 f7 a5 e6 2a 39 ad 95 99 ec 51 f3 8c 62 93 60 12 de 11 b9 a1 52 25 15 ab c2 7c 84 e6 51 9a 9e e6 32 04 c4 84 74 26 1c 49 48 19 6c
                                                                                                                                                                                                                                                                      Data Ascii: 4(w\D|+g*^VVS*)'(~3*2U6so]$Ei]=Iqv=RH(f@a/YoQUs0'<bPGh}i/3DwAhZyri*9Qb`R%|Q2t&IHl
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC4399INData Raw: 8f 68 fe 5c cb 10 c2 02 77 6c 58 d4 0f 50 0d 4b 37 fb cb 34 a9 b8 d2 16 48 fd 24 14 c0 43 16 7d 0f 9b 1c 93 73 25 5a 14 80 e4 3c 21 72 00 2e 53 2c e9 75 b6 96 76 cc a0 1f 5e 00 07 13 20 0d c1 4d 4a 19 ff d4 d1 b1 30 88 13 ca 85 22 84 a8 a7 b8 68 55 bd 22 44 e6 85 b4 63 28 60 b6 02 72 98 af a9 77 90 fb 71 ac 63 20 74 73 d1 0d e0 51 bb ab 29 13 cb b7 a3 94 49 fe 86 18 54 63 a4 42 95 aa d4 79 93 21 74 87 21 99 eb 3d 75 15 e2 ac 3d 4c a4 ac ff a9 22 a4 48 fa d6 6f a6 28 e0 74 00 0d 0f 73 77 e4 0d 80 aa 17 1e 10 53 a0 16 be b0 77 d6 b4 c0 31 95 2b 56 cd ba 57 9f 03 26 1a 9e 66 41 62 b6 02 b2 70 32 4b ad 49 2c 49 c3 0e e7 45 4e 88 28 25 83 84 8a a9 08 6b 7e d0 7b db a0 d6 c5 41 7d eb 29 8a 69 a5 c1 0c f6 1b b6 bd 6d 5e 48 29 d4 bf 09 d8 ed e4 70 7e 52 1b 44 4c
                                                                                                                                                                                                                                                                      Data Ascii: h\wlXPK74H$C}s%Z<!r.S,uv^ MJ0"hU"Dc(`rwqc tsQ)ITcBy!t!=u=L"Ho(tswSw1+VW&fAbp2KI,IEN(%k~{A})im^H)p~RDL
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: 4f 3e 01 55 a9 20 a5 a7 45 41 10 09 51 53 f5 c4 e7 5f 10 0c af 65 20 fe 75 37 bb d8 60 ea 54 2c c7 9b 81 c0 1b 46 d7 06 03 34 92 13 ac e6 5e dc 38 45 30 f1 62 5c b4 02 73 48 27 af c5 2c 80 6d 1c 30 22 b3 fd 95 2f 24 56 3b 7a 49 26 bd 01 7c d6 53 d1 9c 5b be 44 85 0b ec 2e 98 5b 91 f0 97 7d b8 2c 38 69 ae c2 f4 ca ae 87 1e f0 d1 a5 8c 96 01 7c d6 3d 99 a6 b7 7d ab e0 31 53 89 1a 25 67 d7 61 10 72 bc b9 a4 3f cb 2c 4c 62 22 b8 46 f0 99 94 6f f8 04 7e 8f 53 a8 97 92 d0 95 ab 84 dd d9 cc 64 7d 90 e0 97 94 90 cc 0f b5 a6 79 58 97 8c b6 9f d9 c3 43 6f 3d d2 e3 6a 2f 05 20 2f 67 ae 3c d7 5a 47 f4 10 ae 45 66 74 a5 d9 07 1c c5 ca a8 68 24 cf 01 36 45 a2 3c 2a 52 70 ee 51 bd d1 c5 fd ae 49 99 83 7e 8d d5 10 e0 e2 b6 dd 5a d8 f5 60 da 6d fc 53 ae a7 6f 76 18 3d 27
                                                                                                                                                                                                                                                                      Data Ascii: O>U EAQS_e u7`T,F4^8E0b\sH',m0"/$V;zI&|S[D.[},8i|=}1S%gar?,Lb"Fo~Sd}yXCo=j/ /g<ZGEfth$6E<*RpQI~Z`mSov='
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: e9 fb 72 3b 8c f6 07 05 45 c5 a9 be 89 80 85 a9 f5 55 cb c7 e5 2e 24 eb b2 21 02 57 7c 1f d7 1d 55 6e 41 48 0a 70 1c a2 bf 2f ff 15 48 02 26 a8 56 ea 6c 69 18 fd 65 9b 2a c1 09 56 3d 39 26 23 58 25 a7 eb 68 11 5d e7 97 5d f4 a8 3f 5b d5 2b e0 79 15 ff 39 41 f9 4c 78 70 fb 1e 7a 4b 67 bc ec e9 1e 56 8a 31 5d de 4f 43 93 9b d9 01 36 cb fa 6f cd 3f 64 10 58 bc 21 7e 8a 76 74 a4 c2 2d 36 9a f6 43 50 4b 07 08 9f a1 ed d5 7b b2 00 00 00 00 00 00 28 7a 01 00 00 00 00 00 50 4b 03 04 2d 00 09 08 08 00 b9 39 6c 59 3f 03 78 38 ff ff ff ff ff ff ff ff 30 00 14 00 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2f 4e 65 77 74 6f 6e 73 6f 66 74 2e 4a 73 6f 6e 2e 64 6c 6c 01 00 10 00 28 c0 0a 00 00 00 00 00 51 09 04 00 00 00 00 00 6b
                                                                                                                                                                                                                                                                      Data Ascii: r;EU.$!W|UnAHp/H&Vlie*V=9&#X%h]]?[+y9ALxpzKgV1]OC6o?dX!~vt-6CPK{(zPK-9lY?x80AgentPackageAgentInformation/Newtonsoft.Json.dll(Qk
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC16384INData Raw: 81 9e 3f 87 c9 e1 ff aa bd bf e1 7f ea 35 a9 90 7c 74 83 9e 0c 3b eb e4 56 12 40 68 ed c9 55 64 c1 72 b1 38 61 8b f1 78 c1 53 59 b7 15 80 4f 12 20 9f aa ff fa bb c0 8a e2 50 18 4e c4 27 8b 5e 85 79 1e 05 c3 c8 97 1d 46 b4 39 87 62 d7 b0 62 8d 8e 57 94 d6 e4 b5 21 27 23 b4 bc e9 01 5d cb 86 c8 02 66 b2 9d e4 ff cc 20 04 b3 25 95 15 d7 5a 4d c4 20 89 fa 01 c2 c7 b9 de 66 de 35 62 90 a3 c4 9f e3 41 fa 58 ac 02 7e e5 d2 9e ba 7e 6d dc c1 18 43 8f cd 96 f7 a5 d8 0e c3 77 30 d5 bc 22 f2 a8 06 85 0c 52 f6 3c 8c 1d ab d9 70 dc ba 27 dd 30 cc 0f e0 52 6d 89 62 6c 42 f3 2f b5 03 d2 52 39 03 bd 3c db b5 60 8a 79 89 ae 4c 47 98 fd e5 f7 23 a3 50 00 27 af 14 2f eb 59 83 26 25 87 ae 37 8d 1e bf c9 92 2b 1f 2a 72 a7 1a 13 c0 60 44 f5 6c e5 5f e8 19 ba 1c f5 31 4b b8 38
                                                                                                                                                                                                                                                                      Data Ascii: ?5|t;V@hUdr8axSYO PN'^yF9bbW!'#]f %ZM f5bAX~~mCw0"R<p'0RmblB/R9<`yLG#P'/Y&%7+*r`Dl_1K8


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      5192.168.2.104977713.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:50 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9dbdf105-b22b-42a8-a293-ef3c50c5b89f&tr=31&tt=17324433466351848&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:43 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:43 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 1874
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:43 UTC1874INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 30 33 35 38 38 39 30 36 33 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 38 32 39 31 62 66 32 61 2d 33 31 61 32 2d 34 66 34 37 2d 38 62 64 36 2d 31 35 30 39 64 65 66 30 64 64 39 38 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 30 33 35 38 38 39 30 36 33 22 2c 22 72 22 3a 34 32 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 38 38 33 66 37 64 36 32 2d 39 36 33 64 2d 34 61 34 65 2d 61 61 64 66 2d 34 65 65 38 65 35 37 37 64 32 33 38 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 62 63 35 64 66 65 39
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324434035889063","r":31},"m":[{"a":"2","f":0,"i":"8291bf2a-31a2-4f47-8bd6-1509def0dd98","p":{"t":"17324434035889063","r":42},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"883f7d62-963d-4a4e-aadf-4ee8e577d238","d":{"CommandId":"bc5dfe9


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      6192.168.2.104977613.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:15:50 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0c8fe399-28d9-41a3-bf50-c77a672f47cf&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:15:50 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:15:51 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 35 30 37 39 31 31 35 39 37 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324433507911597]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      7192.168.2.104988313.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:35 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dc3922f5-35d6-4f94-b311-0484e4bd5995&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:35 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:35 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:35 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 39 35 37 33 32 33 34 31 31 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324433957323411]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      8192.168.2.104989013.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:38 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=acd435f0-64b6-414e-afe1-15c95d580f8e&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:38 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:38 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:38 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      9192.168.2.104991413.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:46 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d7638603-5a9e-4a0e-a726-ea2723946dc6&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:47 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:46 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:47 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 30 36 37 35 35 31 32 31 36 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434067551216]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      10192.168.2.104991513.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:46 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=128fc0be-bd77-4dce-a0ea-9cf2448b0742&tr=31&tt=17324434035889063&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      11192.168.2.104993513.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:53 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5951d75d-4aae-498f-8cfe-2d2684bcac30&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:54 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:53 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:54 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 31 33 39 35 38 32 36 39 32 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434139582692]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      12192.168.2.104993613.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:53 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c81cc1d6-c362-4d28-bb00-1ffac3b99a1b&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:54 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:54 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:54 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      13192.168.2.104994413.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:56 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0fdd6a07-21a5-4251-94a9-7ec5786af820&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:16:57 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:16:56 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 74
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:16:57 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      14192.168.2.104994513.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:56 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=37a1639b-3b2d-493d-9681-4ffe4cb9d665&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      15192.168.2.104995713.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:59 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=88896d23-1ff2-4725-8b62-fd0ae95c45ca&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      16192.168.2.104995613.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:16:59 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4e6de541-ebdf-48b4-adc4-f35ddb9ca4eb&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:00 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:00 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:00 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 32 30 30 32 38 39 36 34 35 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434200289645]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      17192.168.2.104997013.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:03 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=459726b1-bf54-4233-9c92-512b1a42571f&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:03 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:03 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:03 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 32 33 34 36 37 35 37 39 30 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434234675790]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      18192.168.2.104997713.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:04 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d5f0f946-189b-4da5-b329-5fc70e83eabd&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:05 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:05 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:05 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 32 32 31 35 30 31 35 37 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324434221501574","r":31},"m":[]}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      19192.168.2.104998213.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:06 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=be904d3c-4208-46ed-ab86-e69008a35a81&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:06 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:06 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:06 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      20192.168.2.104998813.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:07 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=53a672d4-64e8-41a4-b6a2-cf6f70a93e3a&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:08 UTC323INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:08 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 29
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:08 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      21192.168.2.104999313.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:09 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=09996451-139e-4d4e-87e9-c03841f30e76&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:09 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:09 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:09 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 32 39 33 36 35 35 37 32 37 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434293655727]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      22192.168.2.105000213.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:10 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=90ccbbf8-4ad9-4204-81c2-de1d71cdcfcf&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:10 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:10 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 4
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:10 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      23192.168.2.105000713.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:12 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=dec5ebd3-4793-42cc-bd15-dbc991b93b5c&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:12 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:12 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:12 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      24192.168.2.105001413.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:13 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8cf06a91-99a7-45cd-a779-b72be96870d7&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:13 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:13 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 7
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:13 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      25192.168.2.105002113.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:15 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e5b922ff-1087-45ae-bfaa-92dac2278cbc&tr=31&tt=17324434221501574&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      26192.168.2.105002713.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:16 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=459bf948-52b5-4158-a1ed-7acb5a150d74&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:16 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:16 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:16 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 33 36 33 39 36 39 36 36 37 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434363969667]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      27192.168.2.105003613.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:18 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=58b95c89-793e-4183-b4ec-622b28949278&tt=0&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:19 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:19 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:19 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 32 32 31 35 30 31 35 37 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"t":{"t":"17324434221501574","r":31},"m":[]}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      28192.168.2.105004913.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:21 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2aed862e-2eee-4460-94f8-67ced20c3e98&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:22 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:22 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:22 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 32 31 38 36 31 37 36 31 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434421861761]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      29192.168.2.105005813.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:24 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9b35e03f-9217-47fc-883e-376a0acf1a33&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:25 UTC323INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:24 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 18
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:25 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                      30192.168.2.105007213.232.67.1984435828C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:27 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12f3eadc-4137-4969-a630-9caae86b52c8&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:28 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:27 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Content-Length: 19
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:28 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 37 38 32 36 35 32 36 33 5d
                                                                                                                                                                                                                                                                      Data Ascii: [17324434478265263]


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      31192.168.2.105007813.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:30 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/883f7d62-963d-4a4e-aadf-4ee8e577d238/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ae447775-3f27-4878-8dac-a944634d4b04&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com
                                                                                                                                                                                                                                                                      2024-11-24 10:17:30 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                      Date: Sun, 24 Nov 2024 10:17:30 GMT
                                                                                                                                                                                                                                                                      Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                                      Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                      Age: 0
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                                                                      Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                      Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                      2024-11-24 10:17:30 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                      Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                      32192.168.2.105008113.232.67.198443
                                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                      2024-11-24 10:17:33 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/883f7d62-963d-4a4e-aadf-4ee8e577d238/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a714345f-6069-463f-b471-b79c49409a31&tr=31&tt=17324434221501574&uuid=883f7d62-963d-4a4e-aadf-4ee8e577d238 HTTP/1.1
                                                                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                                                      Host: ps.pndsn.com


                                                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                                                      Start time:05:15:19
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\e0#U05ea.msi"
                                                                                                                                                                                                                                                                      Imagebase:0x7ff7a4ea0000
                                                                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                                                                      Start time:05:15:20
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                      Imagebase:0x7ff7a4ea0000
                                                                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                                                      Start time:05:15:21
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 2C828FCE33DD8E11A4DB652C16749A7F
                                                                                                                                                                                                                                                                      Imagebase:0xd60000
                                                                                                                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                                                                      Start time:05:15:21
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI7358.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4158531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1313919273.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                                                                      Start time:05:15:22
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI7984.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4159906 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.1382344987.0000000004884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1323962673.00000000044F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.1382344987.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                                                      Start time:05:15:28
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI9172.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4166015 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.1385299684.0000000004255000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                                                                                      Start time:05:15:29
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 383888C60FE94E71DA4676E44D32717F E Global\MSI0000
                                                                                                                                                                                                                                                                      Imagebase:0xd60000
                                                                                                                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                                                                                                      Start time:05:15:29
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                                                      Imagebase:0x360000
                                                                                                                                                                                                                                                                      File size:47'104 bytes
                                                                                                                                                                                                                                                                      MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                                                                                      Start time:05:15:29
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                                                      Start time:05:15:29
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                                                      Imagebase:0x70000
                                                                                                                                                                                                                                                                      File size:139'776 bytes
                                                                                                                                                                                                                                                                      MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                                                                      Start time:05:15:29
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                                                      Imagebase:0x40000
                                                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                                                                      Start time:05:15:29
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                                                                                      Start time:05:15:30
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="pjt145.chef@elbayrak.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O3Ui7IAF" /AgentId="883f7d62-963d-4a4e-aadf-4ee8e577d238"
                                                                                                                                                                                                                                                                      Imagebase:0x17ae7570000
                                                                                                                                                                                                                                                                      File size:145'968 bytes
                                                                                                                                                                                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1463826207.0000017A800B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1468342329.00007FF7BFD24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1466941174.0000017AE9BD6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1463826207.0000017A8008C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1465826767.0000017AE76E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1467302308.0000017AE9DC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1465748093.0000017AE76A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1463826207.0000017A80001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1463826207.0000017A80089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1463826207.0000017A800B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1463826207.0000017A80132000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1463826207.0000017A8017C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1467332251.0000017AE9DF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000000.1405684872.0000017AE7572000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1465826767.0000017AE776E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1465826767.0000017AE7720000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1465826767.0000017AE76E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1466941174.0000017AE9B5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1467332251.0000017AE9E0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1465826767.0000017AE772F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1463826207.0000017A800BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                                                                      Start time:05:15:36
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x19f98b40000
                                                                                                                                                                                                                                                                      File size:145'968 bytes
                                                                                                                                                                                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2543308265.0000019F996FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2543308265.0000019F997CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2553015765.0000019FB20D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2553015765.0000019FB2120000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2543308265.0000019F9957D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2553576063.0000019FB2232000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2554774175.0000019FB22CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2543308265.0000019F99511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2538536873.0000008AB22F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2541190073.0000019F98C2D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2542384951.0000019F98CF0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2541190073.0000019F98CC3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2543308265.0000019F99BF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2543308265.0000019F99AFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2542840167.0000019F98F80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2541190073.0000019F98C0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2541190073.0000019F98BF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2541190073.0000019F98C77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2551638150.0000019FB1C27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                                                                      Start time:05:15:36
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                      Imagebase:0x7ff78b890000
                                                                                                                                                                                                                                                                      File size:72'192 bytes
                                                                                                                                                                                                                                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                                                                                      Start time:05:15:36
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                                                                                                      Start time:05:15:37
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSIB318.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4174625 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1528735655.0000000005127000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000003.1471650818.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1528735655.0000000005081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                                                                                      Start time:05:15:57
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "eb7ae0f0-01c0-4bb5-a03a-e6b63b26697d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                                                                                                                                                                                                                                                                      Imagebase:0x171c11b0000
                                                                                                                                                                                                                                                                      File size:177'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1704120242.00000171C13A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1705051766.00000171C1B73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1704120242.00000171C13EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1707018026.00000171DA1B2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1704691139.00000171C14D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1705051766.00000171C1AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1705051766.00000171C1B63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1704120242.00000171C1360000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000000.1667258499.00000171C11B2000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                                                                                      Start time:05:15:57
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:23
                                                                                                                                                                                                                                                                      Start time:05:16:42
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "bc5dfe9b-e2bb-4515-b3e1-7877603aa96e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                                                                                                                                                                                                                                                                      Imagebase:0x20bd2490000
                                                                                                                                                                                                                                                                      File size:177'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2159293412.0000020BD2632000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2159219094.0000020BD2558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2159293412.0000020BD256B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2159293412.0000020BD258B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2159293412.0000020BD258D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2159293412.0000020BD25D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2160139077.0000020BD2E57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2160139077.0000020BD2E83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2159996088.0000020BD2830000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2160139077.0000020BD2ECF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2159219094.0000020BD2550000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2160139077.0000020BD2E93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2160139077.0000020BD2E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:24
                                                                                                                                                                                                                                                                      Start time:05:16:42
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:26
                                                                                                                                                                                                                                                                      Start time:05:17:23
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 883f7d62-963d-4a4e-aadf-4ee8e577d238 "16904213-f096-40ec-9bf1-11c4695deea3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
                                                                                                                                                                                                                                                                      Imagebase:0x29161870000
                                                                                                                                                                                                                                                                      File size:177'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2542392048.000002917AA98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2539420869.00000291619FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2539420869.00000291619C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2539420869.00000291619C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2539420869.0000029161A4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2540762394.0000029162183000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2539271176.0000029161980000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2540762394.0000029162111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2540762394.0000029162193000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2540762394.00000291621CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2538539036.000000F3860F1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2539420869.0000029161A82000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2540762394.0000029162157000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:27
                                                                                                                                                                                                                                                                      Start time:05:17:23
                                                                                                                                                                                                                                                                      Start date:24/11/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 06AB2764 Relevance: .4, Instructions: 396COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 42fc3fdd4cede632dcd11c3bf82ee1558c64699f1074fe70a7c3a098071b2711
                                                                                                                                                                                                                                                                        • Instruction ID: 180f766f02c70a7525031ecc81d6e33614795a637f10688d9ab84812e7a53396
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42fc3fdd4cede632dcd11c3bf82ee1558c64699f1074fe70a7c3a098071b2711
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90E09B70C192049F8784EFBDD9016DABFF6AE5920471082AFC408C6211FB3286428F91
                                                                                                                                                                                                                                                                        Function 06AB1080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 986cf2ee109e0e5fe17a22944dd52c41f6515bd0e6091302cede3b4538739a6e
                                                                                                                                                                                                                                                                        • Instruction ID: 982d9cedff6e37cc6fd4c2218d0feb2f02962fb9951969ffc68df43b8d53263e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 986cf2ee109e0e5fe17a22944dd52c41f6515bd0e6091302cede3b4538739a6e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3171C635B002149FEB54ABB6C8647BEB6EBAFC9200F158069D506EB391EE70DC42C751
                                                                                                                                                                                                                                                                        Function 06AB23B8 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4893b3ff00107ac0a4f5b89dd45702591331e521e0ba01c3b8b99e46fe898c09
                                                                                                                                                                                                                                                                        • Instruction ID: 642c9d5ed477d71681dfec2e0174ac437511d5da4c60f404cbeee42aa3a65aec
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4893b3ff00107ac0a4f5b89dd45702591331e521e0ba01c3b8b99e46fe898c09
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5551FF31B152109FC750DF68D890AAABBB9FF49304B1581A6E518DF263DB31DE42CB90
                                                                                                                                                                                                                                                                        Function 06AB1630 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 28f6ab1732ffba94472b8255a33b2a326364d2af46435ceeb96d15691380cd78
                                                                                                                                                                                                                                                                        • Instruction ID: b05a8d6cffb7c8825eb33300ef7db78240e1392bd4db548b282710455824903d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28f6ab1732ffba94472b8255a33b2a326364d2af46435ceeb96d15691380cd78
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FE51F331B002089FDB54EF79D8606EEBBFAFFC5250B24802AD815D7352DA709D42CBA0
                                                                                                                                                                                                                                                                        Function 06AB0C1C Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3687dc635be94059341889d3efc3048136f330effb5ede67ff41039b941b7b18
                                                                                                                                                                                                                                                                        • Instruction ID: 11251eed67b6c79da725694eddb496075389f49288611d74b0238189b719cad1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3687dc635be94059341889d3efc3048136f330effb5ede67ff41039b941b7b18
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9510530A04344AFE744EBA5D8647EE7FF6EF89314F145059E406AB382DE794C0587A1
                                                                                                                                                                                                                                                                        Function 06AB2644 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9286cf7d0fdb4d9072ade7ac5db7e12f00313abf5c64470d919fb37c5c644ed7
                                                                                                                                                                                                                                                                        • Instruction ID: 731f1d6acc7fd4377fb543b03ab6c937433bff6be8cfb33d6964c52b900d4fc6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9286cf7d0fdb4d9072ade7ac5db7e12f00313abf5c64470d919fb37c5c644ed7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E314821B193541FEB697B7658243FE6BDE8FC6614F0484ABD501CB383ED68DD0243A1
                                                                                                                                                                                                                                                                        Function 06AB2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 72dd9653ef653b6ff91dc89ce7034ff18eb4fcdeb6071e5031ede8d2701635fd
                                                                                                                                                                                                                                                                        • Instruction ID: 549336d44e468fc8506aa7651fcc8c42f875cd349c028cd2375dd852823403bb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72dd9653ef653b6ff91dc89ce7034ff18eb4fcdeb6071e5031ede8d2701635fd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E410A35B102149FCB54EF69D88099EBBB6FF89310B14816AE915EB361DB31ED41CB90
                                                                                                                                                                                                                                                                        Function 06AB2664 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 487806f4b842c5a00f97482ec3019ff449ee45a2b584e49b75c4c5c42a261663
                                                                                                                                                                                                                                                                        • Instruction ID: c76ba868082824f385c9d4f4b40526f46c8e6c3e1122239ac92992ceb73b1be9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 487806f4b842c5a00f97482ec3019ff449ee45a2b584e49b75c4c5c42a261663
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C218731A623642FD38136B479243FB3FACCF43160F119463EA188E153CE288E4693E1
                                                                                                                                                                                                                                                                        Function 06AB1050 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 969f1487560b8681dd2548d7031df9ceeb0fc369d90a563875019da084e15b1f
                                                                                                                                                                                                                                                                        • Instruction ID: 087b7447276341fdebbbee43ab2fdf0c099f4a4ab31b3a9703e373a760508297
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 969f1487560b8681dd2548d7031df9ceeb0fc369d90a563875019da084e15b1f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11212B32B01254ABEB00EB79D8607EE7BEEDF89144F08506AD506DF242EE74CD4687A1
                                                                                                                                                                                                                                                                        Function 06AB2258 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9db99ae7d20551d34f86b89ffafd0d76306dde335fed0067c3e5b7c9ba5cbcaa
                                                                                                                                                                                                                                                                        • Instruction ID: 53420014e2a61ac77c3b871dfb75baa639560114cebbf070a0c240d28970ce41
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9db99ae7d20551d34f86b89ffafd0d76306dde335fed0067c3e5b7c9ba5cbcaa
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1214A75E102189FCB84DF69D8809DEBBB6FF8D710B10812AE915EB321DB319941CBA0
                                                                                                                                                                                                                                                                        Function 06AB2CC1 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7de46fb880b63d180c189df38ad6c6aa5e79dddefba7d72a6b08b471d6be22be
                                                                                                                                                                                                                                                                        • Instruction ID: db43877cafa06038689460e52568ca9e9b0b8463bf704ee8c51e413c282cbd20
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7de46fb880b63d180c189df38ad6c6aa5e79dddefba7d72a6b08b471d6be22be
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A11A530A10204AFD784EFA4D860BE97BF6EF8C314F115019E419AB382DF755C45CB90
                                                                                                                                                                                                                                                                        Function 06AB1958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cc4c2930e9002b474f46182343cceaa9358a32d92888ee847db42aea13748cdc
                                                                                                                                                                                                                                                                        • Instruction ID: 21ba1d94164037d5d1a8cc7b4fb39d23d7e2764707657b77b637a8182273d52d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc4c2930e9002b474f46182343cceaa9358a32d92888ee847db42aea13748cdc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98115C35600214BFDB04DFA5D458AA97BF6EF8C325F145019E41A9B341DF795C45CB90
                                                                                                                                                                                                                                                                        Function 06AB2CC8 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 923ef53b52cce180971720645fbbc634ef1ddb8e3c1000f9c5b2b7b078555b80
                                                                                                                                                                                                                                                                        • Instruction ID: ac7f5114953a32a5d79496bbfac04b7c17431c9b9f3a58dbfe0bc3a7ee3933fb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 923ef53b52cce180971720645fbbc634ef1ddb8e3c1000f9c5b2b7b078555b80
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56115430A10204AFDB84EFA5D864BE97BFAEF8C315F115019E41AAB382DF756C45CB90
                                                                                                                                                                                                                                                                        Function 06AB1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 73cfd1aa771f6329040020d27d0e3aa351085f3b4467609cc5a6826bcace741c
                                                                                                                                                                                                                                                                        • Instruction ID: 2ef06a973e51040399befab719af73cc7743a10e4536f55a5201bc1d4182f7f6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73cfd1aa771f6329040020d27d0e3aa351085f3b4467609cc5a6826bcace741c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A2113B1D042098FDB20DFAAC484BEEFBB4FF48220F10842AD81967240C7756946CFA1
                                                                                                                                                                                                                                                                        Function 06AB1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 91d027c56a17c7c8f88f7601da8033848d41fe371e1f649f9568910dc75d3763
                                                                                                                                                                                                                                                                        • Instruction ID: 0b1e6188263e2d7d78a5849e596e54660de12344bbc41b11fb4eeccd6bdf436b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91d027c56a17c7c8f88f7601da8033848d41fe371e1f649f9568910dc75d3763
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2911F2B5D042498FDB24DFAAC880BEEFBF4FF48224F10842AD81967240C7756945CFA1
                                                                                                                                                                                                                                                                        Function 06AB1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 82e62add80df5588afff3cfc25cddadb86a7025e4672cace74ba31cec05c3325
                                                                                                                                                                                                                                                                        • Instruction ID: 6fa86337799d856bc7597e1a2851cee0195eb79c99036effc2d82a9b1580822c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82e62add80df5588afff3cfc25cddadb86a7025e4672cace74ba31cec05c3325
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F114F31A00214FFDB04DFA5D854AA97BF6EF8C325F149019E41AAB381DF799C85CB90
                                                                                                                                                                                                                                                                        Function 06AB182B Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 013baaf1f2e9bfe26e92639525c0243b50698ceb680cf06b5ae7363160ac6ce7
                                                                                                                                                                                                                                                                        • Instruction ID: 694e32952b869337d7c7c8da432973e1763d7cc6c37333a081d7a712e2b8e0e2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 013baaf1f2e9bfe26e92639525c0243b50698ceb680cf06b5ae7363160ac6ce7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44012631A0010497EB98BEA889A57EF7EBFABC9340F25502DD112B7381CE720C0187E1
                                                                                                                                                                                                                                                                        Function 06AB1440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 914f64a1ab81346146c90c16c0db491c33b78750872f4d98005349cc53eb0c6c
                                                                                                                                                                                                                                                                        • Instruction ID: cd304a578bfe887808447a0b9e74c0e0dfc0e52f87807290b364ee90886ac249
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 914f64a1ab81346146c90c16c0db491c33b78750872f4d98005349cc53eb0c6c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 810124B0A243495FCB49AFB964303663FADEEC321874118BAD54ACF253F9248D408781
                                                                                                                                                                                                                                                                        Function 044ED01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.1321392628.00000000044ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 044ED000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_44ed000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0a0887535c45df55c98cf2710d2537d4a7adbad337ae1c746ef4b8252ccab812
                                                                                                                                                                                                                                                                        • Instruction ID: a1297d71efc9cdb174fb9de2c93e3ce55e7b9a5500ded6e6932ad3240fc9dcab
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a0887535c45df55c98cf2710d2537d4a7adbad337ae1c746ef4b8252ccab812
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D501FCB19043419FEB204F16DD80777BB98DF41229F1CC417DD490F242D275A442C6B1
                                                                                                                                                                                                                                                                        Function 044ED006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000002.1321392628.00000000044ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 044ED000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_44ed000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 68be6897f53181b0b01a1048f943980071acf36e500bb51aa3cdd2600f9728dc
                                                                                                                                                                                                                                                                        • Instruction ID: 6bdef7d87296c596e5b337b98b7a8f4c064fdac14047b049e5e4a74c85ea8f07
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68be6897f53181b0b01a1048f943980071acf36e500bb51aa3cdd2600f9728dc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D015E6140E3C05FD7128B259D94B62BFB4DF43228F1D85DBD8888F2A7C2695849CBB2
                                                                                                                                                                                                                                                                        Function 06AB2AA5 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8d4c489d449dafc1ff4769c42007eba4a19c66fbbb12e457be2b5bbd94a1bc21
                                                                                                                                                                                                                                                                        • Instruction ID: 3575a1b0be11e401e40ece4c7ad161d1570df9624d63e6e94d85e14155d54e39
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d4c489d449dafc1ff4769c42007eba4a19c66fbbb12e457be2b5bbd94a1bc21
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DCF0EC357053141787B47A1799C07FF6B9EEFC4654B04A02FE9098B347DE248E0155A4
                                                                                                                                                                                                                                                                        Function 06AB25D1 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 925a14f5f344aad46eed4e535514366b21a2885b9ae8f6e652e7479e31ac967e
                                                                                                                                                                                                                                                                        • Instruction ID: de93e2ff524cd841c6e2aca7a074a20c63cf90db8456caf9d06659cf6ebd372e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 925a14f5f344aad46eed4e535514366b21a2885b9ae8f6e652e7479e31ac967e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2F02437A101805BC70CDA2CE4596EEBB77ABC8210F14802ED80263280DF310C0CCBA0
                                                                                                                                                                                                                                                                        Function 06AB1431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9d7a3bcab0a1ef34051c51e7c0da8a2bd2b14ba47d0c76b7bebc55cdb64981b0
                                                                                                                                                                                                                                                                        • Instruction ID: 41afe928da21f88505ff5e16cff1e31e42e7111fa88257329396869f8a6ad71f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d7a3bcab0a1ef34051c51e7c0da8a2bd2b14ba47d0c76b7bebc55cdb64981b0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDF090B1A2034A9FDB49AFB951313563FDAFFC2218785186995479F253F9208D80C7C1
                                                                                                                                                                                                                                                                        Function 06AB2654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7f8ffcea66dcee89f648fe08b8c0855036bb980974eb660864f4688c5860be47
                                                                                                                                                                                                                                                                        • Instruction ID: 59a86b10198b4402cf510d7f4baa4bea3f063cc73407055302b9bd7d41d67c13
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f8ffcea66dcee89f648fe08b8c0855036bb980974eb660864f4688c5860be47
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FBE09221B6531806FFF83A6959207F622CE8B81604F00283BC4018B643EDC0EA4003E2
                                                                                                                                                                                                                                                                        Function 06AB25E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c3b39dd3fba2545bda502d9f55b88c08d2a62849157d5ab249d25b175612b4f5
                                                                                                                                                                                                                                                                        • Instruction ID: a2ff173a8b3f340cce46c6e89fe4ad4624683a7b0b9f217da236fea51f21bd22
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3b39dd3fba2545bda502d9f55b88c08d2a62849157d5ab249d25b175612b4f5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1E0E537B101545BCB18AA6DE4685FDB7BBEBC8211F508036D902A3340EF341D09CB90
                                                                                                                                                                                                                                                                        Function 06AB2590 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e2cc98812676febe6f3911fd2119c7f40d1fc185b734dca7433f10c279805ada
                                                                                                                                                                                                                                                                        • Instruction ID: af7b4b882d91fe33635a94c1401e0b90dd25e487ac2ace9c6c4ca8960a940160
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e2cc98812676febe6f3911fd2119c7f40d1fc185b734dca7433f10c279805ada
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0E0C27001B3501FD306DBB9F912BD52FA2DE82804346CA96E2418F123EF546D8E87E6
                                                                                                                                                                                                                                                                        Function 06AB17F0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e4ca80dfd9a0fc7ed3109081d5b42e1de4ddbe7ab122b65daeb652659c0753fc
                                                                                                                                                                                                                                                                        • Instruction ID: 62a585a034a479617e13819b551983e1af73410f51e5bd4c172da2e5c454f679
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e4ca80dfd9a0fc7ed3109081d5b42e1de4ddbe7ab122b65daeb652659c0753fc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65E02B321292541FC3066F28E9114D67FB99B5A1503084067FD4187363CF611E22EBE0
                                                                                                                                                                                                                                                                        Function 06AB2A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f9cc9c6864e1a8ebd7571857173f7c9a74c305e26af3536ac9251ffb3804a6e4
                                                                                                                                                                                                                                                                        • Instruction ID: 4ec69fa6f813158bcbe3f98f06c5afe6766c05d7a109d77e883d1251abfc2883
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9cc9c6864e1a8ebd7571857173f7c9a74c305e26af3536ac9251ffb3804a6e4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8E0EC70D002099F8780EFB9951166ABBF8AB48204B1085AEC418D7201FA3296028B91
                                                                                                                                                                                                                                                                        Function 06AB0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 13a20c7b3e5c371b0e46cd38b99bf7bf7689a94089869ee75afbba3650ab9d36
                                                                                                                                                                                                                                                                        • Instruction ID: 7c59dce1c5326cb661a06f9409164e7fd4bf0cdbafed9b5047311c6859d2db62
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 13a20c7b3e5c371b0e46cd38b99bf7bf7689a94089869ee75afbba3650ab9d36
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62D0A7322551186F52447A99D8659AA7BEDE7952A03508423FD0293211DEA06C5097E9
                                                                                                                                                                                                                                                                        Function 06AB0440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1320688397.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6ab0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 339abd33062636bb71fba3f0e20dfa948bcd1b2c4c977abbd8cabc822959e4ad
                                                                                                                                                                                                                                                                        • Instruction ID: 46931af30534a92e0e6598fe50f392d00507bc6074c48a28b22108018fdc9cdf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 339abd33062636bb71fba3f0e20dfa948bcd1b2c4c977abbd8cabc822959e4ad
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20C08CB2E742058BC1448E8008082F6B360FB32206B84C26A84050C002623211ABA5B4

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 06B20040 Relevance: .5, Instructions: 471COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380041799.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6b20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e5dd1c1c89abdf86df0e0370eab97f266158ffe4f46311c892e955c4737171ac
                                                                                                                                                                                                                                                                        • Instruction ID: dcfc8913301ae484d7fec355e841485fd0891032885c8638cd71516b1dd7b041
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5dd1c1c89abdf86df0e0370eab97f266158ffe4f46311c892e955c4737171ac
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B224E70E1071ACFDB14EF74C88469DB7B2FF89304F1186A9E849BB251EB74A985CB50
                                                                                                                                                                                                                                                                        Function 046EB688 Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: l;Vt$?Vt
                                                                                                                                                                                                                                                                        • API String ID: 0-3185130314
                                                                                                                                                                                                                                                                        • Opcode ID: 4180f10e330223091e6b30ae5dbeaded44948fdd496640fb153e6e8c8a524c4d
                                                                                                                                                                                                                                                                        • Instruction ID: 48d27ea0ac51ffcd6a8f2ce18bf664c43e6c5661153a0933587497fa32eb741d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4180f10e330223091e6b30ae5dbeaded44948fdd496640fb153e6e8c8a524c4d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8261C475B052154BEB18DA6B885067FB6E7BFD4B40B24802AD902DB394FE74FC0387A1
                                                                                                                                                                                                                                                                        Function 046E85C0 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: 0391b334e34fcec033615b6c045abdc78b10b99ed7fa239f2a30bcc563572240
                                                                                                                                                                                                                                                                        • Instruction ID: 523fcfecb1f4406793fed0b9b6e02cecf20e4bbbf1b619a7874fb090c2045263
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0391b334e34fcec033615b6c045abdc78b10b99ed7fa239f2a30bcc563572240
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3028974B016058FD720DF1AC480A6AB7F2FF89314B25CA69D55A9B761EB30FC46CB90
                                                                                                                                                                                                                                                                        Function 046E6C20 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: |7Vt
                                                                                                                                                                                                                                                                        • API String ID: 0-2583723226
                                                                                                                                                                                                                                                                        • Opcode ID: c48fbebd3e3355c238ccafa5c7335e12150c59678d8f537c02f0c2bed7117b25
                                                                                                                                                                                                                                                                        • Instruction ID: 2ac6a2adde75f84243d3295327eeaabf7aef4e9c8775714bc631e6cab4ada515
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c48fbebd3e3355c238ccafa5c7335e12150c59678d8f537c02f0c2bed7117b25
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76E12370B012448FDB24DF6AC4546BE7BE3FF99301B648459E446AB396EB30ED42CB91
                                                                                                                                                                                                                                                                        Function 06B29FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 06B29FF8
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380041799.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6b20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                                                                                                                        • Opcode ID: 199358d0aa3385030137987d9522e0e66052f225a40edaf3b1028da244dfc114
                                                                                                                                                                                                                                                                        • Instruction ID: 889c91ca7401c0ba8e6abd3418d350bb2a37a228f496a242571c95753a74787d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 199358d0aa3385030137987d9522e0e66052f225a40edaf3b1028da244dfc114
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7118C35E103168FEB50CA38D4907EEBBE5FB88724F1081A4D419A3290EB369848CB90
                                                                                                                                                                                                                                                                        Function 06B29FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 06B29FF8
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380041799.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6b20000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                                                                                                                        • Opcode ID: dd14ab03c8a1fe385cec8665f6cf27e62758fa496fadd4f5e26a49f583b776a3
                                                                                                                                                                                                                                                                        • Instruction ID: 0c4b9c4c17515ac9553931c13c224e72624cb3f9f476677fc7846a1ce6a3210d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd14ab03c8a1fe385cec8665f6cf27e62758fa496fadd4f5e26a49f583b776a3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D117B76D113529FDB50CE38C5947EFBBE1EF49764F108198D82963290EB36A90ACB90
                                                                                                                                                                                                                                                                        Function 046EE7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: L<Vt
                                                                                                                                                                                                                                                                        • API String ID: 0-1719561114
                                                                                                                                                                                                                                                                        • Opcode ID: e37e787d152ac9a8201b7c9c3ff1e98218cb0b198a55dd5b75f8521995b5d562
                                                                                                                                                                                                                                                                        • Instruction ID: a5ec67baba53ac8e19bb2eee5af3b49ce84fd242eba8b6f7b7160fb485bdbb18
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e37e787d152ac9a8201b7c9c3ff1e98218cb0b198a55dd5b75f8521995b5d562
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D614B30B002049FDB14EFAAD59567EB7F6AF98700B248429D406EB390EF75AD058F91
                                                                                                                                                                                                                                                                        Function 046E6BF1 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: |7Vt
                                                                                                                                                                                                                                                                        • API String ID: 0-2583723226
                                                                                                                                                                                                                                                                        • Opcode ID: f7244b404cf20e9c4cd3d5348d91f84f990107e3f08e9d3366465129ed8bf57d
                                                                                                                                                                                                                                                                        • Instruction ID: 08106bfdc3398ac261e0b7d146707fd752f40a1308743bd8c11f009ed298e85e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7244b404cf20e9c4cd3d5348d91f84f990107e3f08e9d3366465129ed8bf57d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7519E70B002158FCB05DF69C850A7EBBF2EF99610B94C469E846DB3A1EB30ED45CB91
                                                                                                                                                                                                                                                                        Function 046EEA88 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: T;Vt
                                                                                                                                                                                                                                                                        • API String ID: 0-4137419375
                                                                                                                                                                                                                                                                        • Opcode ID: 3250b826d0024887d2164a5b2f92212043e5a12f01c5ba69311fda86581cab37
                                                                                                                                                                                                                                                                        • Instruction ID: dd4bfbd89f0a6be6c9ac3f572e1628199bc7c920577293343002e4e29995c129
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3250b826d0024887d2164a5b2f92212043e5a12f01c5ba69311fda86581cab37
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C31F030B002154FDB189E6EC45197EBBE7EFC8610714817AE546DB390EF71EC028BA5
                                                                                                                                                                                                                                                                        Function 046EE7C7 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: L<Vt
                                                                                                                                                                                                                                                                        • API String ID: 0-1719561114
                                                                                                                                                                                                                                                                        • Opcode ID: 6ed62263528547102400abbe2000a3634243672034a34aa3362ed20439ecbaed
                                                                                                                                                                                                                                                                        • Instruction ID: baf7f2a8d25f7e3fa2300f161bd2c200c89a88dcbf1318f66fa044052288b391
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6ed62263528547102400abbe2000a3634243672034a34aa3362ed20439ecbaed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60416C31B002049FDB159FAAD4546BEBBF7AF99600B248429D416EB380EF75AD058BA1
                                                                                                                                                                                                                                                                        Function 046EEA75 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: T;Vt
                                                                                                                                                                                                                                                                        • API String ID: 0-4137419375
                                                                                                                                                                                                                                                                        • Opcode ID: eeb33d6d0449ca7f0972bf3dca38cc6da3aa2e32a670752957af965f0941aaf0
                                                                                                                                                                                                                                                                        • Instruction ID: 75793c344199a8994391c45e3f48a13311f0a74440761b3ab763d2478aed3399
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eeb33d6d0449ca7f0972bf3dca38cc6da3aa2e32a670752957af965f0941aaf0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24F02B357093401FC716165ED45447ABFFFABCA52035500ABD005C7352DD56AC024B66
                                                                                                                                                                                                                                                                        Function 046E746A Relevance: .9, Instructions: 920COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 80b8b1049c03bf1e2591cddf86fd88f4cf29edc1bdddb900784b86f4e5dfd751
                                                                                                                                                                                                                                                                        • Instruction ID: 63b7e897ed64684718e8f6e067fdab0deba98869729be3a3a2c9e469088943e5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80b8b1049c03bf1e2591cddf86fd88f4cf29edc1bdddb900784b86f4e5dfd751
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70A2E971A00228DFEB299F60C855BED77B2FF4A300F1045E9D509AB261DB759E85CF81
                                                                                                                                                                                                                                                                        Function 046E74C0 Relevance: .9, Instructions: 867COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8f3dd1317d4015e16a239ea98096df0e0d59aac74e132909cb249657ec23294f
                                                                                                                                                                                                                                                                        • Instruction ID: f752ec9e517522028e4828c50dfcaa23bc49f56193b46ddbf7d106754373ca66
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f3dd1317d4015e16a239ea98096df0e0d59aac74e132909cb249657ec23294f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0929871A00228DFEB299F60C855BEDB7B2FF4A300F1045E9D509AB261DB759E85CF81
                                                                                                                                                                                                                                                                        Function 046E99B8 Relevance: .4, Instructions: 373COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c848e009b96557fcc3de21474cc7fc497be3c927b6f1bd7a5ec518fff625784c
                                                                                                                                                                                                                                                                        • Instruction ID: 674072e11a77bb930339c98951a829250f1b8b356c3db6f119bec22353e9fad0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c848e009b96557fcc3de21474cc7fc497be3c927b6f1bd7a5ec518fff625784c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44F16C70A003598FDB15DFA9C884AADBBF2FF89300F148195D849AB355EB74ED49CB50
                                                                                                                                                                                                                                                                        Function 046EE1F0 Relevance: .3, Instructions: 326COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8a2623eea000c26488e261c6efc5819defc35dd07aa50166fe57b8d10827d5f7
                                                                                                                                                                                                                                                                        • Instruction ID: 6d632c68b5a0fa85846bf40dcf273622e16155513cc92769e070bd81d24c2b44
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a2623eea000c26488e261c6efc5819defc35dd07aa50166fe57b8d10827d5f7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AAC13C70B01215DFDB14DFAAD494AAEBBF2BF98304F148069D406AB350EB75AD06CB91
                                                                                                                                                                                                                                                                        Function 046E99A8 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5255f47f0bc30da4df81da01531f5c9a25ca599660a1bb6dffc8c7feb40e1986
                                                                                                                                                                                                                                                                        • Instruction ID: 0f0f61dc89c328d1700aec8ac9321ee3e38f3831ecab2e7365723e0fce44f991
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5255f47f0bc30da4df81da01531f5c9a25ca599660a1bb6dffc8c7feb40e1986
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8AD138B4A003598FCB15DFA9C888AADBBF2FF59304F148195D808AB365E770ED49CB50
                                                                                                                                                                                                                                                                        Function 046EBE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 86ded1a43f6b35cc37234dee5204830e231e151c93f0772527fcd6d687f6031c
                                                                                                                                                                                                                                                                        • Instruction ID: 4ff27b46623838a9a5d0d18586b2bf953b32e05965b34480d0bad7979fb413f0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86ded1a43f6b35cc37234dee5204830e231e151c93f0772527fcd6d687f6031c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90B17974B00301CFDB15DF39D594AAABBE2FF89604B048569D8468B365EB74EC42CF91
                                                                                                                                                                                                                                                                        Function 046E1080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2a6ae1c9034fd3ad664343b71ace621ed73e401003da0608191804c6584d91c9
                                                                                                                                                                                                                                                                        • Instruction ID: 58b727ff12d3c289976dfc9c19ffa815b0a43e1e747dd6515dcd6ec3702862df
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a6ae1c9034fd3ad664343b71ace621ed73e401003da0608191804c6584d91c9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E71D435B012189FEB149F76C8547BEB6E7AFC9300F148069E406AB3A4FE75EC429B40
                                                                                                                                                                                                                                                                        Function 046E6038 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bb5fe8ba501a88a4a192691720faba1cf9782105d421abcbc8ce240d6985c13d
                                                                                                                                                                                                                                                                        • Instruction ID: 64c6b705a32e9bdf7556b8cb95241188592f4d35aa30f35376bd9f5a880b9ca9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb5fe8ba501a88a4a192691720faba1cf9782105d421abcbc8ce240d6985c13d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2817E70A043489FEB05EFE0C8607EEBBB3EF89350F108469D1466B791DE75AD458B92
                                                                                                                                                                                                                                                                        Function 046EBE33 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bc1dd7fd4ce74dda9a6e13bc18ba0194b61e321fe99fafdeaf8c7deec999b547
                                                                                                                                                                                                                                                                        • Instruction ID: c11b274ec6a950c0b96d500de2df6be09dd6cc46c2c6eee70262edc4c54a71a2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc1dd7fd4ce74dda9a6e13bc18ba0194b61e321fe99fafdeaf8c7deec999b547
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7717874B003018FDB15DF39D490AAABBE2FF89604B04C6A9D8469B355EB70EC42CF91
                                                                                                                                                                                                                                                                        Function 046EBAD8 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3ccda9e2464335821414021e3dab8a2a2376a341d454ed5152c3943e37a40789
                                                                                                                                                                                                                                                                        • Instruction ID: 73278e1d053a36c873aa8b7cc5a7a18fe3074737eae897f1579083fadd19078e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ccda9e2464335821414021e3dab8a2a2376a341d454ed5152c3943e37a40789
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8751F071B042148FEB14DF7AD494A6E77E6EF84B1071440AAE905DB3A1EF70FD018B91
                                                                                                                                                                                                                                                                        Function 046E6048 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4d7b6c3bdc14b42c35259844b4022ae4f892427996ae5e3bf12212ebc3b6ec59
                                                                                                                                                                                                                                                                        • Instruction ID: 93984cd19067bfab5d4b4839c9897f12fbacef5d854e0abb865413fbf5175593
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d7b6c3bdc14b42c35259844b4022ae4f892427996ae5e3bf12212ebc3b6ec59
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6714A70A003489FEB05EFE0C4607DEBBB3EF89350F148469D1466B7A1DE79AD458B92
                                                                                                                                                                                                                                                                        Function 046E68E0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7c11ee5b8f76640e76e461475bf5afdc86cbf026b5d385436c53bc937aaa219b
                                                                                                                                                                                                                                                                        • Instruction ID: f91fcf916c348b43965ff13b67c348f4722a6ad1d1520e26c64b19d833f31042
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c11ee5b8f76640e76e461475bf5afdc86cbf026b5d385436c53bc937aaa219b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11616D76B002059FCB01CF69C8809AABBF6FF9D31075480A9E619DB321EB31ED15DB90
                                                                                                                                                                                                                                                                        Function 046EABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8e2f773e9fe20be15d4868143959812d0c9bfa3a920b5b8d0f1cdba507220154
                                                                                                                                                                                                                                                                        • Instruction ID: acf241383fcf0cf02c459343abef4bac0b7edf365e9ad821525d33a09a15b591
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e2f773e9fe20be15d4868143959812d0c9bfa3a920b5b8d0f1cdba507220154
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 025118743111118FDB099F6BD598A3A77E7AFD9A1132980A9E406CB375EEB0EC42DB40
                                                                                                                                                                                                                                                                        Function 046E1630 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2329f8585864dc7207819e61fa06cc48d650e37da84b4c51e1ba456c6042fc7b
                                                                                                                                                                                                                                                                        • Instruction ID: 54993a909203a2f8d7f2e734096b9fc1ea57a74a6d6cff0e8eb0b180b05e10de
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2329f8585864dc7207819e61fa06cc48d650e37da84b4c51e1ba456c6042fc7b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7651E171B012089FDB14DF7AD8506EE7BE6FFCA750B14802AD815DB350EA30AD42DB90
                                                                                                                                                                                                                                                                        Function 046E0C1C Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 51fa7073ffb3fdfdca2badc2a61e7414b867939514aea7a5ab53ac36bade3fee
                                                                                                                                                                                                                                                                        • Instruction ID: 5a1e63c83a157ce2c3a0a5773ca3ece7151ed34c29c067416028ba498e767471
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51fa7073ffb3fdfdca2badc2a61e7414b867939514aea7a5ab53ac36bade3fee
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF51C330B05314AFEB04DB65D8687BE7BF6EF89310F14806AD406AB385EE786C46D791
                                                                                                                                                                                                                                                                        Function 046EBE30 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2edced68ed73548827701dab11f290bd129a145c95eab70ee6f2900c9f7bd19c
                                                                                                                                                                                                                                                                        • Instruction ID: ffcd4f3dc34686a2f1a02c281f4ff82ac2620745d3cf16caee37efddc835fa00
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2edced68ed73548827701dab11f290bd129a145c95eab70ee6f2900c9f7bd19c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E514874B002018FDB15DF39D4906AEBBE2FF89604B048AA9D8469B355EB74E846CF91
                                                                                                                                                                                                                                                                        Function 046E60D9 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0120f63bffa0f0372127afcd3959a464211a394ce6ce15885795e5e081c5eacc
                                                                                                                                                                                                                                                                        • Instruction ID: 6142c7416e40eb2d5b5a6905f590646fafc68c8c98935dc46f892c8703be7d61
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0120f63bffa0f0372127afcd3959a464211a394ce6ce15885795e5e081c5eacc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D51EB74A003089BEB05EFE0C4607DEBBB3EF89350F108469D6567B760DE75AD819B92
                                                                                                                                                                                                                                                                        Function 046EC943 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f6ed1d1e00332ce2d7478543dc448512420667fc9541e698183bb40daba373cd
                                                                                                                                                                                                                                                                        • Instruction ID: f564d885e079e64aa5a3c300a641795e657b14dbb0425bb5ce20be8834e961d0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f6ed1d1e00332ce2d7478543dc448512420667fc9541e698183bb40daba373cd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A41179680F3D11FEB039B3869A52E53FB09D6321874A04D3C1D2CF1B3E558994BD7A6
                                                                                                                                                                                                                                                                        Function 046EC4D8 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 908aac4f89ae798260af81446f93f896776b739c2e68473f9d8ceb43d5e83855
                                                                                                                                                                                                                                                                        • Instruction ID: dbadbf3095afc2662cfd750be6fd83e222032ec4b838594de5265652c0cdf8bc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 908aac4f89ae798260af81446f93f896776b739c2e68473f9d8ceb43d5e83855
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B451D5313057408FD725DF35D454A6ABBE2EFC9700B08CAA9D44A8B762EA74FC46CB91
                                                                                                                                                                                                                                                                        Function 046E4EC0 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7eb07abbb77ea991cb6dc3080b47c3e896701b2b31c743244c99681c5f8773be
                                                                                                                                                                                                                                                                        • Instruction ID: 3d48f311167150c4134eaf7b8ee4290a85c2b4c4e767170de2fe521b6f535caa
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7eb07abbb77ea991cb6dc3080b47c3e896701b2b31c743244c99681c5f8773be
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF41D170B042558FDB18DF79C46076E77E3AFC524472485AAD8069F386EF34ED068BA2
                                                                                                                                                                                                                                                                        Function 046E34A8 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1c7ae80ee34612ea960bec00da5cfae949babb5916d30a094f0199a8c23451bb
                                                                                                                                                                                                                                                                        • Instruction ID: 7c56761ad6129c9935a875419440fde0aab4b06a34fa9e74af3072da00fe364a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c7ae80ee34612ea960bec00da5cfae949babb5916d30a094f0199a8c23451bb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D5103743113055FCB41EB68D45162EBBABEBC9600B40CA69D4068B345EF70EC4A8BE1
                                                                                                                                                                                                                                                                        Function 046E5483 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e3202599b337c97529dc59b7e0eebc087066141915d79be6aa44c76232ecf080
                                                                                                                                                                                                                                                                        • Instruction ID: 3cf982ab4c133a629754b1a165da05d511c9be7f4f45b1ebe935af069ffb60f3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3202599b337c97529dc59b7e0eebc087066141915d79be6aa44c76232ecf080
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F51F574A00209EBEB04EFA0E8657AEBBB3EF89300F508469E50677790CE356D45DF61
                                                                                                                                                                                                                                                                        Function 046E34B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 23e16f9a066ec34c4359936cf3d93387ed8766175efccc30331895e2b33982df
                                                                                                                                                                                                                                                                        • Instruction ID: 236413e77093ee88e1974040bde1064d275fa03bfe20a5cd8f73df5b8b9bae90
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23e16f9a066ec34c4359936cf3d93387ed8766175efccc30331895e2b33982df
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 325113743103059FD744EB68D49162EBBABFBC8600B10CA69D4069B345EFB0ED4A8FD1
                                                                                                                                                                                                                                                                        Function 046EA228 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0ec8a981817c5b8e76dc8643af47b49b273adaa01d477e331152ab0ecf522832
                                                                                                                                                                                                                                                                        • Instruction ID: a0662e71adbe5822c2f25b31f07d09d5ac0ef31a8be290a51fa6b5c58cbc5d33
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ec8a981817c5b8e76dc8643af47b49b273adaa01d477e331152ab0ecf522832
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E41E730B052549FDB15CFA5C894BAE7BF2EF89610F148199D845BB382DB35ED02CBA1
                                                                                                                                                                                                                                                                        Function 046E5490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 19b4a4e7683ebbe9da1c5cbf342393c0f73a9a6aeafcc160d1efbab6aee2e32b
                                                                                                                                                                                                                                                                        • Instruction ID: f79099b7f5c7862f2fe111695a88904496862c97d36a6ebbdac34d44f7bf64c1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 19b4a4e7683ebbe9da1c5cbf342393c0f73a9a6aeafcc160d1efbab6aee2e32b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F451E674A00209EBEB04EFA4E8657AEBBB3EF89300F508469E51677790CE356D41DF61
                                                                                                                                                                                                                                                                        Function 046E30EC Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1038165b4c54e1ea9f7ae05a31f03893d47af4071a582915215084720dcdd84e
                                                                                                                                                                                                                                                                        • Instruction ID: 22c52fee46c3101c1abf46c88902e6ccf784013ee8f05d9280d1afbc0992debe
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1038165b4c54e1ea9f7ae05a31f03893d47af4071a582915215084720dcdd84e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B241F170B053145FEB089E39985473F36EBEBC5604F148469E806D7395FE34EC828B84
                                                                                                                                                                                                                                                                        Function 046EE428 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f0647d79672c8fc74cc026b1141755a6ff58a55c64b749265ba289987b564ffe
                                                                                                                                                                                                                                                                        • Instruction ID: 11f09121cc0dbe9a73b0aabaabef9ec2d5a72144a0efa9fec3fc5f57dbde0611
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0647d79672c8fc74cc026b1141755a6ff58a55c64b749265ba289987b564ffe
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA415A70B11215DFDB14DFAAD854ABEBBF2BF88604B108169D416AB390EF75AC01CF91
                                                                                                                                                                                                                                                                        Function 046E1D58 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 93d32be4a1788cea269aa2bdcece1a5b3820f5e432e2e6f970b101c548ec06c8
                                                                                                                                                                                                                                                                        • Instruction ID: 1a87252346f2f1c57e8b9810a670e0c1634f4f48ddd1aacdf56ad8a56fdf421d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93d32be4a1788cea269aa2bdcece1a5b3820f5e432e2e6f970b101c548ec06c8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D841D731A05308AFD704DF65E8657FE7FBADF8A210F10406AD80A97390EE35AD46D791
                                                                                                                                                                                                                                                                        Function 046E5753 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2c46cb88c8152669d5adf5b6755e8221e7a03a232323ee752a9db396b48f7917
                                                                                                                                                                                                                                                                        • Instruction ID: 0fa8a82f0d59b9109a4ccf55317a021209cc5898d427b0425a09354e9c21bb3c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c46cb88c8152669d5adf5b6755e8221e7a03a232323ee752a9db396b48f7917
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8731596660E3C09FE713577558A05AA3FE69F9321870940DBC4C6CF253F954AC0BC366
                                                                                                                                                                                                                                                                        Function 046E85B0 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ab59f9abc5562532e708dbef0a93f0fc34e595f1271d1b13e718ada84411039f
                                                                                                                                                                                                                                                                        • Instruction ID: da890bcbc924d08c793823d5ff3095e109268ff0781bf3a3301028ce0f1261a2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab59f9abc5562532e708dbef0a93f0fc34e595f1271d1b13e718ada84411039f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE415A34B01605CFDB14DF5AC480A6AB7F2FF89354B1589A9D85AAB351EB30FC41CB54
                                                                                                                                                                                                                                                                        Function 046E57B8 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4d1e966ec924cf06273459eeae10d2bd2f48f55ed146876212d16375a6104841
                                                                                                                                                                                                                                                                        • Instruction ID: 884f920a0582b38e13b1a1ee5dcf37009fd34d6de1c9eff8cb60758463879dd1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d1e966ec924cf06273459eeae10d2bd2f48f55ed146876212d16375a6104841
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB31B45560E3C09FD717573548606693FA15F9710478E44EBD0C5CF6A3EA589C0BD327
                                                                                                                                                                                                                                                                        Function 046EF681 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5958ac4815b635a21e362e99b0383449a3c99a10791323608ef5afc748688e99
                                                                                                                                                                                                                                                                        • Instruction ID: be759a207ee9235d3ce999561d85c97a593141ee89c54454cb119a584eac48ba
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5958ac4815b635a21e362e99b0383449a3c99a10791323608ef5afc748688e99
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1641D5707043549FCB15DF39D8549BEBFF6AF9A200B04849AE086CB362DA74EC05CB61
                                                                                                                                                                                                                                                                        Function 046EE1E0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 36aaaad9a59ebba1a6e6d5ea91f3412500336f379a70ed7109eaeeb6106af02c
                                                                                                                                                                                                                                                                        • Instruction ID: f70a246127d061bd22075806f1a829e4405d94645d269bedbe3d715218c12fc8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36aaaad9a59ebba1a6e6d5ea91f3412500336f379a70ed7109eaeeb6106af02c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16414C75E012599FCB14CFA9D4849ADBBF2FF89300F258069E805AB365EB71ED46CB40
                                                                                                                                                                                                                                                                        Function 046E4E98 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1b22d6fd5b613a09af1cd00e3e0ee19075807b3d3fe0c1d7500e7f4b5a095e4a
                                                                                                                                                                                                                                                                        • Instruction ID: 604e1a865691dcb4e6014a8345dbfa993a216700da5a7c8190849a62183e5eb3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b22d6fd5b613a09af1cd00e3e0ee19075807b3d3fe0c1d7500e7f4b5a095e4a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E310170601305CFDB14DF79C880AAA77E6FF85604B1485A9E4559F312EB70E906CB91
                                                                                                                                                                                                                                                                        Function 046E2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e81f341cda114db6fcd5ca1a7a8246da3551fd9a04e148d5285bf1f2d7601ff9
                                                                                                                                                                                                                                                                        • Instruction ID: 7808c15e56a09c7381e241400b9e86090af19da48c9cd6cea4fa00032e104c1a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e81f341cda114db6fcd5ca1a7a8246da3551fd9a04e148d5285bf1f2d7601ff9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A041F675B012189FCB54DF69D8909AEBBF6FF88710B108169E905EB365EB31AC41CF90
                                                                                                                                                                                                                                                                        Function 046EF6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 82e9ad8d18506c92e7984a78562ec7e70518556f7456fa97c398644142da8fce
                                                                                                                                                                                                                                                                        • Instruction ID: 9c1a45b328a849d29255911c20afd17135636d1b001c39c9984878b75bc781a9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82e9ad8d18506c92e7984a78562ec7e70518556f7456fa97c398644142da8fce
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA41D2707002559FCB15DF29D888ABEBBFAAF89200B048469E586C7361DB74EC05CB51
                                                                                                                                                                                                                                                                        Function 046EB080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e7d9246aedf004db78b1907e2813e59ad05c818a67c80e259a01c8617bd5de7a
                                                                                                                                                                                                                                                                        • Instruction ID: 1c602c053e75bd265b3579daafcca900d84e871bd6b27ff2856052075334a122
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7d9246aedf004db78b1907e2813e59ad05c818a67c80e259a01c8617bd5de7a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5231BE35B011059FEB10CE6AE880AAEF7EAEF84624B18C17AD51CC7355EB71FC418B90
                                                                                                                                                                                                                                                                        Function 046EAA43 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4029a73387d34d2a879de4368b4071ab3ce8e4bcc307769880a5a41d5716e109
                                                                                                                                                                                                                                                                        • Instruction ID: 10117495741c2580cf0cff5cc17846346c67ddedde0520f418d90a9f385f554d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4029a73387d34d2a879de4368b4071ab3ce8e4bcc307769880a5a41d5716e109
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70319371D0A3849FDB02DFB9C4606AD7FF1AF47210F4540DBD081AB3A2E630A945DB56
                                                                                                                                                                                                                                                                        Function 046E3719 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 96b084182d746f9c4d72167d08d9feeccc3032dd296304ef113c35a3f36de26d
                                                                                                                                                                                                                                                                        • Instruction ID: d1a8e9ec3f20ea9f2be4c8ad44e7e916e9bd9e91630132d54a2e0500e1883ef2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 96b084182d746f9c4d72167d08d9feeccc3032dd296304ef113c35a3f36de26d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 032102B1B022006FEF04CE6AD84477F7BEAEB84219F10446DE806C7381FB34AC428754
                                                                                                                                                                                                                                                                        Function 046E310C Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f4fbcfe4fc9bec2c748e1fca46daaa74171dbefc9d95a5a88b73ef2841688489
                                                                                                                                                                                                                                                                        • Instruction ID: 69aaff7229ba8c79d9e4ac4b7be0075c19a18d2261d6a9b84503eb6a72a9bc49
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4fbcfe4fc9bec2c748e1fca46daaa74171dbefc9d95a5a88b73ef2841688489
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0214C326473187FEB0125A634143FA7FDCDF92224F014067EF449B352FA2998C29395
                                                                                                                                                                                                                                                                        Function 046E45C8 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 658260cb3dbc6c069bae2e8f017a897fbfd333848da1ad1445c28323d01f357f
                                                                                                                                                                                                                                                                        • Instruction ID: b4eb494e68cd7f7b19caf1cf86f9e86c0d6abcbce5833698dafe9f6fbfb30007
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 658260cb3dbc6c069bae2e8f017a897fbfd333848da1ad1445c28323d01f357f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3421F135701300DFE714DB2AE444A6A77EBEFCE21171480AAE54ACB351EE64EC42CB91
                                                                                                                                                                                                                                                                        Function 046E1062 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e1ff9d0c8786243e06cce37dcfe3ef18957a3d1f74dd35a322906c577485335b
                                                                                                                                                                                                                                                                        • Instruction ID: d094f7f2fb3c2a060cf00c42125cbeed728efd79a35c0c272de03703d264e763
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1ff9d0c8786243e06cce37dcfe3ef18957a3d1f74dd35a322906c577485335b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40212772B022649BEB108E7688546FE7BEADF86240F048067D806D7286FD74EE039791
                                                                                                                                                                                                                                                                        Function 046EC558 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 85a9c87fb690c87f4e3ac515d6321197ef82f55aadbb85bd73aac0bee406f0f8
                                                                                                                                                                                                                                                                        • Instruction ID: 21160f24545ec4c409b11335cb1ad822385e61fc925a0fdb28f01cad9288bbae
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85a9c87fb690c87f4e3ac515d6321197ef82f55aadbb85bd73aac0bee406f0f8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35318D34211741CFC725DF25D598966BBF2EF89700704CAA9D48A8B766DA34FC46CB90
                                                                                                                                                                                                                                                                        Function 02BAD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1381352746.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2bad000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c7c5818e80df0f460d2d7704960a21763564e79b3749ed084ce3c8ecc8dfd5d2
                                                                                                                                                                                                                                                                        • Instruction ID: 900513e90b5c4777cadbdcaf3750fa2d25f5a97c484e33306d9619d9bef75638
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7c5818e80df0f460d2d7704960a21763564e79b3749ed084ce3c8ecc8dfd5d2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70216AB5508241DFDB09DF14D9C0F26BB61FB84314F24C1A9D8090BA06C336D446CBA2
                                                                                                                                                                                                                                                                        Function 046E3A29 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 967a148c8bc6c3506576fdd8ce2636c0c0c34ec9c1b8c444789f0366dece6d8a
                                                                                                                                                                                                                                                                        • Instruction ID: f58064cfa8e41859e64ba9cbc6c8611e51d6a52b73a1c38e48a449e29701a8a6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 967a148c8bc6c3506576fdd8ce2636c0c0c34ec9c1b8c444789f0366dece6d8a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A217430A01204AFDB04DF69D854AF97BF6EF8D314F148029D806A7384FA75AC86EB90
                                                                                                                                                                                                                                                                        Function 046E5F38 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d3a7cab6a2acd903914d73d7df7560185458afe93d435c5b96eeeb2f82616c09
                                                                                                                                                                                                                                                                        • Instruction ID: 7c44ad798b5b6aead344dd1ad4e35c9e1ce01721f8cc32adb02ff30c70b2a720
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d3a7cab6a2acd903914d73d7df7560185458afe93d435c5b96eeeb2f82616c09
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2C218330B00218DFDB149F6AC455AAEBBF6EF8C754F14805AE402A7391EEB1AC018F95
                                                                                                                                                                                                                                                                        Function 046EB930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 754a013878f3509d9637ca30fc96c7723532c1e4b7a17d20711eafb8bfadd174
                                                                                                                                                                                                                                                                        • Instruction ID: abaa943a06ab84165395fd8d55b80e80fd6d38f2a2a49ec84fb032e8de2ba11a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 754a013878f3509d9637ca30fc96c7723532c1e4b7a17d20711eafb8bfadd174
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C1190313053004FAB14CA6AD490B3AB3DAEFCA620714803A9949C7756FEB1FC418794
                                                                                                                                                                                                                                                                        Function 046EAF10 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b2cbe736e7bda433918d455927f7d523779fc3bdf1f9650da1c057eb923efcd1
                                                                                                                                                                                                                                                                        • Instruction ID: 4616f188a78ea452496ea0564042d16234fecacaeef8d72968984df0cd3d9f0c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b2cbe736e7bda433918d455927f7d523779fc3bdf1f9650da1c057eb923efcd1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D1173723053015FAB249BAEB494A6BF3EEEFC8265314807AF50DC7755EEA1EC414790
                                                                                                                                                                                                                                                                        Function 046E28F8 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 444ba47ecc09b500473d526d6d72ab79c0057e47eaca07f89d4e3b4d4861ae03
                                                                                                                                                                                                                                                                        • Instruction ID: 539a8ea6bf8ad581c099224dd04d6f601bf440d827dabfd22f839c1c62a05f50
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 444ba47ecc09b500473d526d6d72ab79c0057e47eaca07f89d4e3b4d4861ae03
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11115BD690E3D45FE7039B74A8B02C93FB09D1310474A40D7C1D1CF1A3E964994ACBA6
                                                                                                                                                                                                                                                                        Function 046E30FC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: af26e365a9cf0c2ef350346a1e581782ee6f030e7bc4870989e6f66bf4557b62
                                                                                                                                                                                                                                                                        • Instruction ID: 21c59bf6f864383cee6d78e62a4ca81fc771b53e667f1ce858d3d60f00124cec
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af26e365a9cf0c2ef350346a1e581782ee6f030e7bc4870989e6f66bf4557b62
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4112920B0A3541BFB152676142437E3BDE8B82614F0444AFDE42CB786FA98FC8247D6
                                                                                                                                                                                                                                                                        Function 046E5F48 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6e4fdf53ae3c1a0e5f083d9708705545654b6f29d3c1ee160d8b4093cd3bfc56
                                                                                                                                                                                                                                                                        • Instruction ID: 1139b28377977f6e1dc4507c26600a5d6c6d3ec6a598b9662936221339732928
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e4fdf53ae3c1a0e5f083d9708705545654b6f29d3c1ee160d8b4093cd3bfc56
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D216234B00114DFD7189B6AC455AAEBBF6FF8C714F148059E502A7390EEB0AC018F95
                                                                                                                                                                                                                                                                        Function 046E5F46 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3c51c0f498e66a0a72cbc43330b7618badf19993ae580ad2692d794d30d76288
                                                                                                                                                                                                                                                                        • Instruction ID: 40bfe3755b16ee5d82c0cef277e2d69ef0ed67816112b4bce911c36b73242e7c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c51c0f498e66a0a72cbc43330b7618badf19993ae580ad2692d794d30d76288
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6219330B00114DFDB189F6AD455AAEBBF6FF8C714F248059E402A7390EEB06C018F91
                                                                                                                                                                                                                                                                        Function 046E3370 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 02e8348d0fd4c9308666eb94cdc710add71ce458ff4083ad3c32629456e545bf
                                                                                                                                                                                                                                                                        • Instruction ID: 2e9ed656a6dea4ff073609825482a023e88f63bb488eb8741f967fecdd817d48
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02e8348d0fd4c9308666eb94cdc710add71ce458ff4083ad3c32629456e545bf
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6116075B00214AFCB189FA998559BF7FEAFB8C700B10846AF905DB341EF349D029B94
                                                                                                                                                                                                                                                                        Function 046E2258 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 20d76cadad2bfe5cdabb4a07b8d4dfcc0e91c16f0999f496d9b9312e168af96d
                                                                                                                                                                                                                                                                        • Instruction ID: 0aebaa1f084168d90bef6a377a2882db3ac8d5dd8a95bdda7cb73dd1967cd08f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 20d76cadad2bfe5cdabb4a07b8d4dfcc0e91c16f0999f496d9b9312e168af96d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F211A75A112189FCB44DF69D8809DEBBF6FF4C710B10816AE805AB360EB31AC42CF94
                                                                                                                                                                                                                                                                        Function 046E0F20 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6446ec25a374a8950ed40ea51ec2b23aa617ce976f26323eb82a41908f4a2a40
                                                                                                                                                                                                                                                                        • Instruction ID: 1fa632ef04d4695f7fbd568176488eddc8f2004d948a54f590295cad674d3848
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6446ec25a374a8950ed40ea51ec2b23aa617ce976f26323eb82a41908f4a2a40
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B00189A6B0B36017DB251A77285437E6BD99FC7610F04846ADD09CB301F97CAC0292A6
                                                                                                                                                                                                                                                                        Function 046EA219 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cf51de8eee398956c230b4d5f855239964a40fc723462250d757e6dafb446633
                                                                                                                                                                                                                                                                        • Instruction ID: 1827af242243ce23a2733efe820081fa430cbc4e5a0c8122c3ebd65b705d3b58
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf51de8eee398956c230b4d5f855239964a40fc723462250d757e6dafb446633
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 21111A34B012099FDB14CF96C584BAEBBF5AB88710F248455E805BB342EA71AD46CBA0
                                                                                                                                                                                                                                                                        Function 046E0F30 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ea4501036c7bc93c43ecb687b4c19d7516df5e7011cd2ef78c5d46bea27d99f9
                                                                                                                                                                                                                                                                        • Instruction ID: ff2691db35866f033ea71da55dc47615a84e02b14b5e053fc83a2fc9df958575
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea4501036c7bc93c43ecb687b4c19d7516df5e7011cd2ef78c5d46bea27d99f9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38012B61B0E7944FDB02577664712AD7BB59F43504B1989CBC80ACF352E81CEC479396
                                                                                                                                                                                                                                                                        Function 046E3A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1823d7e2d8f7abd9d1c52d16fb01614813b8642decf32402dd7f455a23fd60e0
                                                                                                                                                                                                                                                                        • Instruction ID: 1dfd63cf74b8dd879aa38810992992ebbafb2de720959a0f47b7090a4b66d0f3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1823d7e2d8f7abd9d1c52d16fb01614813b8642decf32402dd7f455a23fd60e0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72114F30A01304AFDB04DF69D854AAE7BF6EF8C315F148029D80AA7394EE75AC85DB90
                                                                                                                                                                                                                                                                        Function 046E1958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f7dc93abbfbe0e4e912a1d4d17df620aebec66a43cdd2410ad110d7534619770
                                                                                                                                                                                                                                                                        • Instruction ID: 51772064eb85fb383277d795d3fd1f988772bbe53610a1fce4e9a8f445189367
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7dc93abbfbe0e4e912a1d4d17df620aebec66a43cdd2410ad110d7534619770
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87114F35600318AFDB04DF64D459AA97BB6EF8C321F149019E80A97384EF799D46DB90
                                                                                                                                                                                                                                                                        Function 02BAD69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1381352746.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2bad000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: dbfc16fa6896e0d880c800bfe027d57cd1705ad07205604b7711310ce88d1907
                                                                                                                                                                                                                                                                        • Instruction ID: 51d9e424652323ddb4bd196f73bbf5ecf4bba56eafb7d394ea38f75e3424e153
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dbfc16fa6896e0d880c800bfe027d57cd1705ad07205604b7711310ce88d1907
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9611D3B6508280CFCB16CF10D9C4B16BF71FB84314F24C6E9D8494B656C33AD456CBA2
                                                                                                                                                                                                                                                                        Function 046EAAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 62cf5702c68fbb89ab0de185723bdbaeb44762de82dc0a368a12971f56464414
                                                                                                                                                                                                                                                                        • Instruction ID: d2e7377be5be1d2bd617ea86eb89ecd541a524c7ec981da63539ea9069c5b5a2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62cf5702c68fbb89ab0de185723bdbaeb44762de82dc0a368a12971f56464414
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C21D874E01209DFDB44EFE8D490AAEBBF2EF89214F504499D406A7354EB70AA81CB91
                                                                                                                                                                                                                                                                        Function 046E3380 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: de186d5fcd77065d3eaf6354b233e17bff983dd14122916ba43918db5b60fc57
                                                                                                                                                                                                                                                                        • Instruction ID: 058896d5c13291b8daba4d6633da36cd3869d8dd476e6f72ddb8cacdef142878
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de186d5fcd77065d3eaf6354b233e17bff983dd14122916ba43918db5b60fc57
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7117035B002149FCB08AFA998459BF7FAAFB8C300B108029F905DB341EE344D029B90
                                                                                                                                                                                                                                                                        Function 046E1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0dffb7bf1c0bc4690f67a87e4251e6911413ed7224a8f5fbb0e3ccd8446ebbed
                                                                                                                                                                                                                                                                        • Instruction ID: 792a0d352efbc9bac8ba12c88d312d2aa0068ae5a54418ef013ede64e877303e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0dffb7bf1c0bc4690f67a87e4251e6911413ed7224a8f5fbb0e3ccd8446ebbed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0621E271D042498FDB24DFAAC480BEEBBB0FF48210F14852AD859A7240C7756945CBA1
                                                                                                                                                                                                                                                                        Function 046E1E20 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 16ee23b3c3a8b0cb3cb6219fec7b923b6c0e88011cc077e4c05e8f6a4f80c3d3
                                                                                                                                                                                                                                                                        • Instruction ID: 47309b3899e62e25841fa0a0c4ebce3551af9f880666db8f78c87080efdf2d23
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16ee23b3c3a8b0cb3cb6219fec7b923b6c0e88011cc077e4c05e8f6a4f80c3d3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A113034A01304AFD704DF65D458AB97BFBEF8D325F145019E40AA7384EE756C85DB90
                                                                                                                                                                                                                                                                        Function 046E1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3c2551d3edabb7d7327e4bb505f4668dd6abe105924cf0ef4b07fc7d5afdc376
                                                                                                                                                                                                                                                                        • Instruction ID: b6ab2db95b1761330ef82f58f35e144ff3744dd07b72d66df1070ee790ee2be5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c2551d3edabb7d7327e4bb505f4668dd6abe105924cf0ef4b07fc7d5afdc376
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E311E2B5D046498FDB24DFAAC480BEEFBF4FB48220F108429D859A7240D7756945CBA5
                                                                                                                                                                                                                                                                        Function 046E0F40 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 15b11572ded09c869558237ce4051a7dbbf236e3b83365a23709c90b44f5b9b3
                                                                                                                                                                                                                                                                        • Instruction ID: acadc7e7b99c5a76b76c38a2360856f5b2d2ef2dc77349797a1958c423837236
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15b11572ded09c869558237ce4051a7dbbf236e3b83365a23709c90b44f5b9b3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9001477024A3088FF304A761D8697797BE0EB41704F144859E94A8F6C1EA24FC82D302
                                                                                                                                                                                                                                                                        Function 046E1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3dcbe963e2c712e1e05b8c0a253cd577a4c6a55a655a66600d3f64c68a1e234f
                                                                                                                                                                                                                                                                        • Instruction ID: 41186d295031d96f65362ba2147306aeca702fbc935476d0e8f133fd9b765313
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3dcbe963e2c712e1e05b8c0a253cd577a4c6a55a655a66600d3f64c68a1e234f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8111F35A00314BFDB04DF65D858AA97BBAEF8C321F159019E40AA7384EF796C85DB90
                                                                                                                                                                                                                                                                        Function 046E1440 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 60509ff9fcb86fbeef947f37ddbda923ccf28a5e38f4b867277204f1e4cd5bbc
                                                                                                                                                                                                                                                                        • Instruction ID: 4b5f2e5891615e3b50c5b4fa1598cdfb602d9f279a6cbc971494c8d29a8f63cb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 60509ff9fcb86fbeef947f37ddbda923ccf28a5e38f4b867277204f1e4cd5bbc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5301B57061A3496FDB0A9F35A9242663FEDEEC3100B4508AAC54ACF352F93499048791
                                                                                                                                                                                                                                                                        Function 046EB920 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 96bdb49543f2a383b6caefc952ba64e3bb6a87b93ad53604d0707b043e629048
                                                                                                                                                                                                                                                                        • Instruction ID: 7acc63f78d9234a29ac2c077c84a02e1cd30eef53ab060375fdd6f3aa4009176
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 96bdb49543f2a383b6caefc952ba64e3bb6a87b93ad53604d0707b043e629048
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8301F7713063405FE715DA199890B37B7D9DF9A6207044479EA49C7752FA71FC018360
                                                                                                                                                                                                                                                                        Function 046E56C3 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e6a492ab9bd3078d77c772bea28e4c1c145103f35625d3f8bb756ad97f37e4c9
                                                                                                                                                                                                                                                                        • Instruction ID: 3f828c3533d634b89e66f93009809dd92ee35f3b58a60b6fafd4406def49d24d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6a492ab9bd3078d77c772bea28e4c1c145103f35625d3f8bb756ad97f37e4c9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F012871604301BFE71097A5A4446AE7BD7EB82358784456DD5479B301DFF0BC0A8BB1
                                                                                                                                                                                                                                                                        Function 046EB070 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6f9b0079bfebee7718a5c31c5175fe923632fe5c2992b9648d6546b09e2a4b68
                                                                                                                                                                                                                                                                        • Instruction ID: 36383238a92c4191194adcde973a44e051d76c708bbf8d049183e26a5a8a58b8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f9b0079bfebee7718a5c31c5175fe923632fe5c2992b9648d6546b09e2a4b68
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E01FD307052019BDB25CA6A9840A6EFBEAEF89660704C17AE528CB351EA71F84587A1
                                                                                                                                                                                                                                                                        Function 046E1829 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2da1998237387055619217ac48cefb33d8da99777cc8bd3c8bdb8fa88c7e7804
                                                                                                                                                                                                                                                                        • Instruction ID: 658593304c0b2a2ed822088fe0a22555fc81945f14c34bcadbb133d66ce178ae
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2da1998237387055619217ac48cefb33d8da99777cc8bd3c8bdb8fa88c7e7804
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B001F271A02118D7EB08EE6AC5557FF7AF6AB89304F15802DD406B7380EEB55D029BA0
                                                                                                                                                                                                                                                                        Function 046E67E3 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 059ab1731b288b973c2f37bc99221f40c542efa8160e0ffdb7e8d2ac3c1920e7
                                                                                                                                                                                                                                                                        • Instruction ID: 037e8dc81c7d6564e98555fb83244eca9b60d168b94238101043794e1632cfb0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 059ab1731b288b973c2f37bc99221f40c542efa8160e0ffdb7e8d2ac3c1920e7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D0161B0D00208EFDB44EFB9D45159DBFFAEF49204B5081E9D515BB351EA30AA069F50
                                                                                                                                                                                                                                                                        Function 02BAD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1381352746.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2bad000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c01b234cb25d181b29328c60970643b393619f362a8c3ceb69cd2e8a920e6241
                                                                                                                                                                                                                                                                        • Instruction ID: 2b77a6b51369cb660d001e8be639aee731321d033c62300e197ea5e96629c671
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c01b234cb25d181b29328c60970643b393619f362a8c3ceb69cd2e8a920e6241
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89012B7150C7419FE7304E21CCE4767BB98EF82624F18C59AED494F582C3799841CAB1
                                                                                                                                                                                                                                                                        Function 046ECB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 00622b37dde18c58560ac754846103a2773b1af536ba17834bb3e49fb1f16d73
                                                                                                                                                                                                                                                                        • Instruction ID: b2a433036bdff6d4995d43d42ba827a1c613b6ef56ec9690de2e65e8831210aa
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00622b37dde18c58560ac754846103a2773b1af536ba17834bb3e49fb1f16d73
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24F090367091144FE7049AAEEC84A3FB7EAFBD4A69315017AE509C3350EB61DC0187A0
                                                                                                                                                                                                                                                                        Function 02BAD006 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1381352746.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_2bad000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1f62945be2e6887e1d2da34e661650b36954e5413302d9f0a174ad9aae4b988f
                                                                                                                                                                                                                                                                        • Instruction ID: 84ff220033119c23c4138f5f6f54f2a67b5468c6f939b5637f850f364a610ecf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f62945be2e6887e1d2da34e661650b36954e5413302d9f0a174ad9aae4b988f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15019E7140E3C05FD7228B218CA4B56BFA4EF53224F1885DBD8888F1D3C2688844CB72
                                                                                                                                                                                                                                                                        Function 046ECB7F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9f440f6fa8ecb8b1bc767458314caf89ed0231862d5a7baa1ed3dde802e30fde
                                                                                                                                                                                                                                                                        • Instruction ID: dccafb092d2fd2f32a9accd7f89185f28065022a26d4516e47c3057b4a7fb3bc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f440f6fa8ecb8b1bc767458314caf89ed0231862d5a7baa1ed3dde802e30fde
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53F0F07270A2054FD7105F6AE85093BBBE9EF9556430500AAE108CB362FA21EC05C7A0
                                                                                                                                                                                                                                                                        Function 046E6769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ee254a5bf7eece57cdaaeea83cb42c09ddb10d65aa24f04f54a048a962d1247e
                                                                                                                                                                                                                                                                        • Instruction ID: 10b389d50affe54026d8855c1ea5d101d6f148121e6181711a5033854e1fd0df
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee254a5bf7eece57cdaaeea83cb42c09ddb10d65aa24f04f54a048a962d1247e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2012836B02615DBDB10CB69C68066DF7E6FBA9325BA08679C4269B344E731EC458B80
                                                                                                                                                                                                                                                                        Function 046EE3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6598ac51d6a8f42bdc78da26fc10973c9d7f1e150c170020da623d9f315733d6
                                                                                                                                                                                                                                                                        • Instruction ID: 040411656563f19958ccae0ef29fcbe9fe529e15e112fcaec89536e0050df2e4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6598ac51d6a8f42bdc78da26fc10973c9d7f1e150c170020da623d9f315733d6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B601D136B103114BE719DA99D8513BE77A3EBC8610F14C46AD606AF344EFB2BD068BD0
                                                                                                                                                                                                                                                                        Function 046EE36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4cd1b37a76fac2eff6611669f8518f6b233b04595cada85386c1afd9d93de922
                                                                                                                                                                                                                                                                        • Instruction ID: b00d3e529a9d0587cf0bcda17ed9d9fc1f446826d031d7d96735192f3904d938
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4cd1b37a76fac2eff6611669f8518f6b233b04595cada85386c1afd9d93de922
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05F0C836B103104BF7199A59D8513BE73A3EBC8650F58C46AD545AF344EFB1BD0687E0
                                                                                                                                                                                                                                                                        Function 046EAF00 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 62189d82243d3303dd9b5ed9a9f8145a6747ed656b8036db8087bb5af67b935d
                                                                                                                                                                                                                                                                        • Instruction ID: 30e5772b38e6169ea8a79a44b812a214dcd1e096d33182c8f606ef107a9c3aa1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62189d82243d3303dd9b5ed9a9f8145a6747ed656b8036db8087bb5af67b935d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52F0E9F27053012F9B154B9A68805A7ABE9DFDA160314C06AE40DC7341FAA1DC0647A0
                                                                                                                                                                                                                                                                        Function 046E6880 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6b5919fc05d5ee382945fb52a88196672e431c18f87bfb3f24c41925afdde1ed
                                                                                                                                                                                                                                                                        • Instruction ID: 36c8d201691cbc146a2318326b4f0095cfdd50720eb41d6446f626e68e8438a4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b5919fc05d5ee382945fb52a88196672e431c18f87bfb3f24c41925afdde1ed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57F0967150B3815FCB164A35DC104A3BFF5AF6B22138689E7E044CB263D210A807C3B5
                                                                                                                                                                                                                                                                        Function 046E68D1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bd5b00e970084c8a8cef6adffd05241d7607b2dedca766cbdba4f9555aeb23d0
                                                                                                                                                                                                                                                                        • Instruction ID: 6f8c7a0bdd8178512e36f074c0aebec56b64ca667a82d85601ec9b82d7710148
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd5b00e970084c8a8cef6adffd05241d7607b2dedca766cbdba4f9555aeb23d0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DDF0F6366042456FC702CF59C800C9ABFF9EFA96103458496E548CB212F730E904CBA0
                                                                                                                                                                                                                                                                        Function 046E56D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5bf2b418375bd908591244da5d7e3a0657b0149f03a1286c3aca9719c6f4612a
                                                                                                                                                                                                                                                                        • Instruction ID: 0bdf45c3cb76c016ce4928fb4d4201fd593aefa635999b77da17d0fc45cb3819
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5bf2b418375bd908591244da5d7e3a0657b0149f03a1286c3aca9719c6f4612a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6BF0AF70204305ABE364A7A9A4506AEBBD7EBC1614784856DD94B9B340CFB1BC498BE1
                                                                                                                                                                                                                                                                        Function 046E1BB0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 25ff3c127effd04a3a8265b6d6e56834ae6f405bd893b992915745f2d79d6f31
                                                                                                                                                                                                                                                                        • Instruction ID: 7e280d158e205524d8ef829cd40f1d11c1525cb6ea2d3c2088e0fa83c661e5d1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 25ff3c127effd04a3a8265b6d6e56834ae6f405bd893b992915745f2d79d6f31
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03F09EB5B0735027D7205A67948477B6FDD9BD6560F01406ADD08CB301FA789C0392D0
                                                                                                                                                                                                                                                                        Function 046EA369 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cc39f773bec8e03653d88191ce8d2a54ab0f5ccb70dbaec6bf07d260368cfd5b
                                                                                                                                                                                                                                                                        • Instruction ID: 43560c7f5f93051b377e95ac31160b2e6f3ee2020d028dd50098ebd4acd4f547
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc39f773bec8e03653d88191ce8d2a54ab0f5ccb70dbaec6bf07d260368cfd5b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4F024357093604FDB169AB5C858439BF565F8612431882DDD9498F386EA22EC03C3A1
                                                                                                                                                                                                                                                                        Function 046EC4C9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 66597c452dc8d8f973d366d240435df23d676aee05deab11ad444d4ef4997ac3
                                                                                                                                                                                                                                                                        • Instruction ID: 051c6b54231855acb916e20af1f783ed13058c3b367dd3d237b98946c4ff056d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66597c452dc8d8f973d366d240435df23d676aee05deab11ad444d4ef4997ac3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FF09E312453405FE3236D3B58006BB3BE54FD3690B444577D4458B615F9A1BC08C3B1
                                                                                                                                                                                                                                                                        Function 046E4553 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 95d7e475accfeb4356b4cf917c27548007ebc5da9c15d201e62b83883f1f1ae3
                                                                                                                                                                                                                                                                        • Instruction ID: 427e4dbbbc0a2c14c72161839dc55a22581fc2c98f898077ea6a0044f1049a9b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95d7e475accfeb4356b4cf917c27548007ebc5da9c15d201e62b83883f1f1ae3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08F052317087000FD322AB3AA81052E7BC3EBC266030488FEE04E8B342EF60EC058796
                                                                                                                                                                                                                                                                        Function 046E67F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7f15fbcf91fe8655a0c053325068dba92a2ed55018ce990bb9f873d0d80a3b6a
                                                                                                                                                                                                                                                                        • Instruction ID: d1a4c0b89cb7c3745a008fbd2584d51355729a0b1dd49810c207e25d1c86ba1b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f15fbcf91fe8655a0c053325068dba92a2ed55018ce990bb9f873d0d80a3b6a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C01FFB0E00208EFDB44EFA9D55169DBBFAEF89204B5085E9D505BB350EE306E059F91
                                                                                                                                                                                                                                                                        Function 046E1431 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3e1dc1f8cefe8252a9da9ddeee38c17bff7219e07427d7c2f48fc425f4a4468f
                                                                                                                                                                                                                                                                        • Instruction ID: e8214c040f46ac79cd08193f3cad9695eaf9f4e944d50394e16611fbc9a6c8ad
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e1dc1f8cefe8252a9da9ddeee38c17bff7219e07427d7c2f48fc425f4a4468f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7F0F070A063099FDB09DF35A4682AA3FAAEEC3200B45087EC54BCF352F9349901D781
                                                                                                                                                                                                                                                                        Function 046E45B8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a16402ed216b6e17da0c7634282eabedb66900b316af23bed98937199727db30
                                                                                                                                                                                                                                                                        • Instruction ID: 613e4c5fdc6a9ff7c49653f6baa93d571268280b2a65dd49fc67872cf78b0883
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a16402ed216b6e17da0c7634282eabedb66900b316af23bed98937199727db30
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88F0BB35305341CFD7119B79E45066D3BE6AFCA5053044569D049CB321EE60EC46CB51
                                                                                                                                                                                                                                                                        Function 046EC688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5700f4401da18683a8d29ee44ab964146b17683789eadac53fb3b359a1cdf0f5
                                                                                                                                                                                                                                                                        • Instruction ID: 80a522fdd6c01825243a843e39ebcd238993069c33b23962746dd7397e8063eb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5700f4401da18683a8d29ee44ab964146b17683789eadac53fb3b359a1cdf0f5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0AF065353103118FD718DB76D9445A6B7DAAF882A431495B5D908CB314EEB1EC42D790
                                                                                                                                                                                                                                                                        Function 046E38B0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 03adda9d20b56a45bea3f40292de1c0cc8454dab53c71c2639b7a646995d0e62
                                                                                                                                                                                                                                                                        • Instruction ID: b0b0b81ae9a009d9826b349173aa0f793e534b9914f799e188097a751dffe1b6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03adda9d20b56a45bea3f40292de1c0cc8454dab53c71c2639b7a646995d0e62
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FF08C2061A2580AEB21156615003BA2FD94B52B58F0104BADD82CBB86F684E8858BA2
                                                                                                                                                                                                                                                                        Function 046EAB90 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 47ae749f5d02deac0ff7050f24986b24c074905ce87b88d46e2510ae82811de4
                                                                                                                                                                                                                                                                        • Instruction ID: 3f1069b450a42675fa26fa14f7ddfd2cae5cf8d2bc930b46a8bc35ab39a2987b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47ae749f5d02deac0ff7050f24986b24c074905ce87b88d46e2510ae82811de4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38F0EC313093408FC7055B7AA8945657FEAEB8722175580FAE50AC7362D964DC058760
                                                                                                                                                                                                                                                                        Function 046E36A9 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7fa419c3187f24749fa62905ff8a23bd6f320ecb892c0f1bd020e64981fb2ca2
                                                                                                                                                                                                                                                                        • Instruction ID: 3bd094fd1658ba64a2e9e301bd6106223d4fbba8ebcdc08a4c5e6a5e73a4c9b1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7fa419c3187f24749fa62905ff8a23bd6f320ecb892c0f1bd020e64981fb2ca2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60F03771F02115EF8F44DF7A59001BDBBF49B04255B604469D91AD7300F37197468FD4
                                                                                                                                                                                                                                                                        Function 046E4560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 05ae10cc29737ab5dbdf163a44ba74189126bef2e1393fcdb787d0b41ab5933d
                                                                                                                                                                                                                                                                        • Instruction ID: 90a774fc4a1afcde15a6f346e921f284161205c353b90b4edb91c6f4d153ff68
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05ae10cc29737ab5dbdf163a44ba74189126bef2e1393fcdb787d0b41ab5933d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31E022313046001BA265BA6EA81062FB7C7DBC56A0340C8BDE00E9B340EF61FC458BA5
                                                                                                                                                                                                                                                                        Function 046E46A0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0a2c242bcd5c29853ae7f7129ca7af7000c727de781ba9cd6f3a11adb92e8e40
                                                                                                                                                                                                                                                                        • Instruction ID: 734c707d358f89eb6f98cc38eddeaae13e0713cfd38db14255d0da8dc00e23a6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a2c242bcd5c29853ae7f7129ca7af7000c727de781ba9cd6f3a11adb92e8e40
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 29F022A3D0F3C18FD712C37588896C07F50C86325030A00CED48A4B322F886AA02C386
                                                                                                                                                                                                                                                                        Function 046E46CB Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 447fca48571c2421f281fb52da84f6ea3e686f0f0091f16449fb00bc2c30f9ce
                                                                                                                                                                                                                                                                        • Instruction ID: 90c73cfcd8b1864241b42f1b158abe68c0c157c0789a8d4f2e0a5a758b570175
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 447fca48571c2421f281fb52da84f6ea3e686f0f0091f16449fb00bc2c30f9ce
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56F08274D0934DAFCF14EFB8D44059DBFF19B05300F1081EAD4559B392EA741A468F49
                                                                                                                                                                                                                                                                        Function 046EC1D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5d451085fdcfc79767eaab1944958c481589acb3ea288ef383e4c5ebbdb1b60e
                                                                                                                                                                                                                                                                        • Instruction ID: 71b82712f17cedd2e4c5e32e4f346efc3d6a4256d8490450648c3677739e0c76
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d451085fdcfc79767eaab1944958c481589acb3ea288ef383e4c5ebbdb1b60e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20E022306053005BDA21666594242EE3FEAFBC3765B04085BEA82CBB01EAA57C018BA6
                                                                                                                                                                                                                                                                        Function 046E6AAF Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 187140fc12b3b2ab77e74cd3f5ddb63f9d85b96a6a24b78cfb216c636d5cfcb3
                                                                                                                                                                                                                                                                        • Instruction ID: c9d4a212d0fb996e46e087a00abcbf70ec40c34cda80a93155faa6c808c74d65
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 187140fc12b3b2ab77e74cd3f5ddb63f9d85b96a6a24b78cfb216c636d5cfcb3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2F06DB1A093449FD301DF5DD880CA17BE9EF6921538581AAE988CF363E761EC56CB90
                                                                                                                                                                                                                                                                        Function 046E3CC0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4607d54e9969b4056818654310a94b47af5ecc204e2545db1d384e0fec6c6bb0
                                                                                                                                                                                                                                                                        • Instruction ID: 0d6abfd74092e463c5d3fdab7ce46c33c42e5b85ba51293de82df41b70b9cd34
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4607d54e9969b4056818654310a94b47af5ecc204e2545db1d384e0fec6c6bb0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01E0D87274A3905B4B1216AF28290BD7BABCBD2911349409BE905C7342DE05EC0547D3
                                                                                                                                                                                                                                                                        Function 046EC678 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a337e2ae5c9256d6e7103521492328be153b12432afc7e5edd21899cb2de7dfa
                                                                                                                                                                                                                                                                        • Instruction ID: 36a612018de157f13d1228ec8bf2dc4990377d0aa367b5c37852d05144a2b6f7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a337e2ae5c9256d6e7103521492328be153b12432afc7e5edd21899cb2de7dfa
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4E0D837705341DBCB054A7248185A7BFA69A4715430D95E2D9048F346EA31E842C392
                                                                                                                                                                                                                                                                        Function 046E3C89 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bed9a598c12ad6924c88460b14632b126a0b77cb69d6b8238d5aeb7f382d581b
                                                                                                                                                                                                                                                                        • Instruction ID: 0582535881d78e953d1160802c7c8bf02024903a30cb6bc0fc687e42e763c8c8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bed9a598c12ad6924c88460b14632b126a0b77cb69d6b8238d5aeb7f382d581b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6E026B030F3C48ACF050A7774280B53FA5C782A4930408E6EA4FCB302F212E4618751
                                                                                                                                                                                                                                                                        Function 046E2998 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6612a8a2c9f0c0a2dcc152b90903b11cf1238ebe800da18063ae7e0f6e9ad9a6
                                                                                                                                                                                                                                                                        • Instruction ID: db261b45ad7d5206089adcb16de5b1160e692b200d270fef2c042b110fd1e237
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6612a8a2c9f0c0a2dcc152b90903b11cf1238ebe800da18063ae7e0f6e9ad9a6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FDE026B110A3401BE3159770F8533C93B22EB85A00F51C2A6E4428E9A3EE913C4747C1
                                                                                                                                                                                                                                                                        Function 046E36B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                        • Instruction ID: 81918ae6d2a4f367dd778418bda52ea23c5f76c19a72622dad2968c8d2892474
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BE0ED70F0121ADF8F40EFBA99001BEBBF4AB48140B208569C919E7300F232AA428FD4
                                                                                                                                                                                                                                                                        Function 046E3CFF Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6c7cc2acdd7a8293098510e8c80092003b146e58942dabb3c8e0e29ee43514fa
                                                                                                                                                                                                                                                                        • Instruction ID: 5011c9fca917caca0b7b318cbdc3e10852f8d99b55ff03c4923a89c6f87030cd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c7cc2acdd7a8293098510e8c80092003b146e58942dabb3c8e0e29ee43514fa
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0E09270909288DFCB41EF74E9125AC7BFDDB0620472484EBD805EB362E9316E449B96
                                                                                                                                                                                                                                                                        Function 046EC1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 71f5c7e5bc2799fd0f64ce4faa4385b9fa12bd01cbc2d3b842d8dfc9cb707d8c
                                                                                                                                                                                                                                                                        • Instruction ID: e57a4363834f46ca993d3c6563eddff63ebba2f9d6a3bc0ccba98697894e7fe1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 71f5c7e5bc2799fd0f64ce4faa4385b9fa12bd01cbc2d3b842d8dfc9cb707d8c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DEE0C23130030457D6247758E41469E7BDBFBC5B65B44442DE44687B00CEF5BC418BA5
                                                                                                                                                                                                                                                                        Function 046E6AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 725e14d04e205d9e123375b55b5b0a9d3139607dbf634c9db28975f5ae5d9a30
                                                                                                                                                                                                                                                                        • Instruction ID: 3e90b01eea60e2b7726f00a2f6a89a1aeb646e8e05b00c8e0296d4a565f28c6e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 725e14d04e205d9e123375b55b5b0a9d3139607dbf634c9db28975f5ae5d9a30
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10E08CB1300204CFD300DF4CD880C91BBE9EF682143558099E848CB322DB62FC52CB90
                                                                                                                                                                                                                                                                        Function 046E17F0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d2cd0aa4fe3b0fe630d829addae591d2ad359cfce6bf7d3fce9d96b984da0a2b
                                                                                                                                                                                                                                                                        • Instruction ID: dbac4269ed54be6c90fa0849db0a9872b9c662b87cac9d23426d9f70dc45ed9f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2cd0aa4fe3b0fe630d829addae591d2ad359cfce6bf7d3fce9d96b984da0a2b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BDD02E3621A2280FC309EBA0F44B0A8BFB4AB1A220304806BEC048B262DDA00C93C3C0
                                                                                                                                                                                                                                                                        Function 046E3CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: de0eb2e248de40f9e9b42df466168f245d874d142d80c6a1164c074de569e918
                                                                                                                                                                                                                                                                        • Instruction ID: 6eb74cfaf47172fc2ea944d485564f4079f37ffdefdb57f06026b2adef6d333e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de0eb2e248de40f9e9b42df466168f245d874d142d80c6a1164c074de569e918
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1D05E36300220530614219E74285AE77DFCBC5E62358006EEA0AC3340DE569C011395
                                                                                                                                                                                                                                                                        Function 046E46D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9939457d42a6363ed6bee7626ffe9a10a28311f030b0721ad4de3a1ee21a00ac
                                                                                                                                                                                                                                                                        • Instruction ID: e443be519cf046983b957a9496b816d26712611dda0b0bdb7572f68a949f87db
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9939457d42a6363ed6bee7626ffe9a10a28311f030b0721ad4de3a1ee21a00ac
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4E09274E0430CAFCB44EFA8E44469DBBF5AB48300F0081AAD809A7350EA745A448F85
                                                                                                                                                                                                                                                                        Function 046E1C29 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2f9b1fec49d62a91fe347c3df39ed17c29e7ef118de59c79a4686172d2d8edfb
                                                                                                                                                                                                                                                                        • Instruction ID: 3d8430d713c41f08b0b740d6d9d1fd608e1c31dd603adafc1a5d76a3abd5381b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f9b1fec49d62a91fe347c3df39ed17c29e7ef118de59c79a4686172d2d8edfb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2C012DBE1B63417D71511A629421F597C48B87E14B0248D6D95CCA101B05E5D1752EB
                                                                                                                                                                                                                                                                        Function 046E3938 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 63f78561711dbb5775fd9e8664afc893cee9745494082f89d831ef110f6fdb28
                                                                                                                                                                                                                                                                        • Instruction ID: 5400905f57a788583586b399bb14fe24786ead07ae2a72eb4e4ba268866f11aa
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63f78561711dbb5775fd9e8664afc893cee9745494082f89d831ef110f6fdb28
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CBD05E26B5F3602BCB1466B524181B86B999B42920F0648EBEE199B742F6699D424384
                                                                                                                                                                                                                                                                        Function 046E0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 75e3f9da7344f3e59e7863717a33d3143b58d2f49b2b295d5edda88f71542c54
                                                                                                                                                                                                                                                                        • Instruction ID: 78162404f12c80f47f03b01f3b35bf56740cda79997f7a28dde105a7cde15141
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75e3f9da7344f3e59e7863717a33d3143b58d2f49b2b295d5edda88f71542c54
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3D0A73231612C6B62006A5AD8569BE7BE9E7892A07508427FD0293220FDB07C519799
                                                                                                                                                                                                                                                                        Function 046E3D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ae1a8125c4a7d41a5dba6208d1a5ec57c1c106610af738538118d1864c3aff01
                                                                                                                                                                                                                                                                        • Instruction ID: ea77db13d84bf90d697493278ce02cc6f7f25837376133f748c07b5f091d1bf0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae1a8125c4a7d41a5dba6208d1a5ec57c1c106610af738538118d1864c3aff01
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BD01270A10208EFCB44EFB4E91195D77FEDB49204B1081E9D509E7251DE316E009B91
                                                                                                                                                                                                                                                                        Function 046EE32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 43527a2b7b321d8152c41cb15160b17ef58dbeff45eb051029221b3d307aa1f3
                                                                                                                                                                                                                                                                        • Instruction ID: b9411e0a483350f0d174ba44fc86821a85b5795ca2091afa5ebdc9747846800f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43527a2b7b321d8152c41cb15160b17ef58dbeff45eb051029221b3d307aa1f3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23E0EC30A4570ACFDB249FE2C5546AE77B1FB04309F204815D411AA244FBB5A906CF40
                                                                                                                                                                                                                                                                        Function 046E2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9fb4c1273d54be710aafc5a1e6ab4eeeafd2bca19a85488ebff91e8af01a6a81
                                                                                                                                                                                                                                                                        • Instruction ID: df0a80d710a0c5238cc0f6746e95c937fd9a8f152c4c6313e3f171c369f92f0f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fb4c1273d54be710aafc5a1e6ab4eeeafd2bca19a85488ebff91e8af01a6a81
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27D05E70911309EFCB00DFB4E94195EBBFDEB49200B20C6A5D8049B211EA705E00AF80
                                                                                                                                                                                                                                                                        Function 046E0440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 015116859b945cb12e6572d7ecd4cd36eb44a34f653039861d015d332d1e2783
                                                                                                                                                                                                                                                                        • Instruction ID: 9189a64178dc3a3965fb799cd133c70964b366c2e63dee48eb7187db6da2d886
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 015116859b945cb12e6572d7ecd4cd36eb44a34f653039861d015d332d1e2783
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27C0807246B784DFD702495449454E92B34D6735007C9C347C44589967A12E79579236
                                                                                                                                                                                                                                                                        Function 046E3C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 649a65a9876c1c717f5c900dd08ecd8b796ff738a809ba3780cc40919557e6df
                                                                                                                                                                                                                                                                        • Instruction ID: b961d4dfca45af8aa7c7fe9f3c806a74c362b2697e731fddd912444efccc7409
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 649a65a9876c1c717f5c900dd08ecd8b796ff738a809ba3780cc40919557e6df
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31D0C930315304CB8B489AA6E55557577D9DB88A04300C8ACA80FCB341EB26F8129640
                                                                                                                                                                                                                                                                        Function 046E0F50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1c7018999909dc976abe0b6e48a22e417e5396fab6f96c897bc43e695fbe0ea7
                                                                                                                                                                                                                                                                        • Instruction ID: eda7f7e114d81f298e33ace94e769bce7b2b291b84fe8967764416a694305c72
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c7018999909dc976abe0b6e48a22e417e5396fab6f96c897bc43e695fbe0ea7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7EC08CA0B463089BFB002AA3622833E31CC9B82A08F4098096C0FC9100FDBCFC50524A
                                                                                                                                                                                                                                                                        Function 046E858F Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 582a5b0bd1d9988b98e7cfadbf488934d3715b85259d36ed8ba5fcea241e8031
                                                                                                                                                                                                                                                                        • Instruction ID: b54e63147071a911bcc6e801192f1b23c037b3c39f44b1a1c151afd92c2bf735
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 582a5b0bd1d9988b98e7cfadbf488934d3715b85259d36ed8ba5fcea241e8031
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BCC012A280D3809FCB128AB04E589993FB09B27700F59808AE551595A3D0545806E727
                                                                                                                                                                                                                                                                        Function 046E46B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a374b730ae2df7ebd2da74f707f14b00928d0f1bb46405e4df3b9d77e079acc5
                                                                                                                                                                                                                                                                        • Instruction ID: 5457a12d65b047506505d43d5ac8ef050a1d5c9a16a78d988883aeb91e213b5e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a374b730ae2df7ebd2da74f707f14b00928d0f1bb46405e4df3b9d77e079acc5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1B0927090530CAF8620EA99A801A5AB7ACDA0A210B0001DAE90987720D9B2A95056D1
                                                                                                                                                                                                                                                                        Function 046E0E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1380011573.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_46e0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 29a87b20b5dee35f057c0f41d45cc9aad8162ff30106addeaa03b9e243ea10eb
                                                                                                                                                                                                                                                                        • Instruction ID: d067b220bef7bb224d56fae0ee1bdf3f5503cf6279dc35183356c7c3abf9ddae
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29a87b20b5dee35f057c0f41d45cc9aad8162ff30106addeaa03b9e243ea10eb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0B01285A0A100537100AB3348E06BE40C296C2204FC4CC051802600147C68F0052019

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 067B50B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9107ee7fdd16be9a86614f22a50534d27645d8c4ace65dc32345eb83a4401fbd
                                                                                                                                                                                                                                                                        • Instruction ID: 04de54ce3382f0a6a1217b5f495cd44a0f17b2d535f022913f63f18cde43dbab
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9107ee7fdd16be9a86614f22a50534d27645d8c4ace65dc32345eb83a4401fbd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9B15F70E00209CFEB54CFA9D8857EDBBF2BF88304F249529D815A7294EB749845CF81
                                                                                                                                                                                                                                                                        Function 067B59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 11436bd0c2462f309dca1b31e4915f7a1bd901c39a8346652c1a9ac35e69063c
                                                                                                                                                                                                                                                                        • Instruction ID: 26415b101432e9d979196e5d0e3f82f2b0466942a1ebfa4a1c6e43b6c19c5693
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11436bd0c2462f309dca1b31e4915f7a1bd901c39a8346652c1a9ac35e69063c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3BB15E70E0024ACFEB54CFA8D8857EEBBF2BF88314F149629D815A7254EB749845CF91
                                                                                                                                                                                                                                                                        Function 067B50AD Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 49ab4dc30c5ae9b0e89eb5a5f2f3c38f5239d9843902b913802a72b5c061b9ed
                                                                                                                                                                                                                                                                        • Instruction ID: 6ae670e3e4da1aa0d0056ae2d66fbd185f225c163f20d514042cad919b34e734
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49ab4dc30c5ae9b0e89eb5a5f2f3c38f5239d9843902b913802a72b5c061b9ed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86C16C70E00209CFEB94CFA8D8857EDBBF1BF48318F249529E814A7294EB749845CF91
                                                                                                                                                                                                                                                                        Function 067B599C Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 21fa9285540a807ec8904c357b4746b842640462142822c4bbe3a8980874605d
                                                                                                                                                                                                                                                                        • Instruction ID: 2a72d70f20d92c501ba0d291e15c5960335e2ff001e9859d494846bba5313552
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21fa9285540a807ec8904c357b4746b842640462142822c4bbe3a8980874605d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97B13D70E0024ACFEB50CFA8D8857EEBBF2BF48714F249229D815A7254EB749845CF91
                                                                                                                                                                                                                                                                        Function 067B1080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7ed05ea3c2bc0cea0e601b101b327eb4d67b231dc3919ef07f4653fc193e43a2
                                                                                                                                                                                                                                                                        • Instruction ID: df848d480228e80625917bf40543b2bd7fc84bc49ce8ba7cd9d8a84f0890755e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ed05ea3c2bc0cea0e601b101b327eb4d67b231dc3919ef07f4653fc193e43a2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D571B235B002149FEB449BB5C8687BEB7A7EFC8310F549029E906EB390DE74DC528B91
                                                                                                                                                                                                                                                                        Function 067B0C1C Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: dfaeae42cd26e94cf85e18026701b0de1e1cc373fc35714a8e1450b3220cf817
                                                                                                                                                                                                                                                                        • Instruction ID: 685b5b288babc1b68edab0106c2cf7633365962498136fbc977d0eb8a8fb7e65
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dfaeae42cd26e94cf85e18026701b0de1e1cc373fc35714a8e1450b3220cf817
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F651F330B44284AFEB499B64D8247FE7BB6EF89310F14906AE506E7381CE744C05C7A1
                                                                                                                                                                                                                                                                        Function 067B1630 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e5ca33719d1a7822c0fd2130bca464f485341e6785ac4afd988bcc8e0597855f
                                                                                                                                                                                                                                                                        • Instruction ID: 9a4feffae579eba48276d1359e72310b2d87647fa03e957d0b63b6c2ce0db15a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5ca33719d1a7822c0fd2130bca464f485341e6785ac4afd988bcc8e0597855f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4551E035B002089FDB55DFB8D8607EE7BB6FBC6250B64812AE815D7351EE308D42CBA0
                                                                                                                                                                                                                                                                        Function 067B1D58 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d1301bca79383cc5caf776a5b44d615d1bfc650c26cf3312ff0f64dd8a2cce33
                                                                                                                                                                                                                                                                        • Instruction ID: 78eade27d6fa0e573002e68041921aa6431f0ccf1be70911e2e75a2037b5d77a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1301bca79383cc5caf776a5b44d615d1bfc650c26cf3312ff0f64dd8a2cce33
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76412431A44208AFDB48DB64E8347FE7FBADF89311F60506AE90997390CE348C55CB90
                                                                                                                                                                                                                                                                        Function 067B2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 91c0419bff369952e7daea822873220a7566d0153d8a9f04ce71d35e61d1c232
                                                                                                                                                                                                                                                                        • Instruction ID: 6cb6c52c1a67ef266d79311c9f669e03f2466d8b4ac44c98e12840107433e7c8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91c0419bff369952e7daea822873220a7566d0153d8a9f04ce71d35e61d1c232
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4411735B111089FCB94DF69D8809EEBBB6FF88320B108169E915EB321DB31DD41CBA0
                                                                                                                                                                                                                                                                        Function 067B2A68 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6a778cbd29c205e7c53b2a91b28e80309c223abe4cd594526e47062bb893c911
                                                                                                                                                                                                                                                                        • Instruction ID: e9eda16ed747301d94d60446e2cc7d621dd806390c227cc89ae1c4ab12d76b86
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a778cbd29c205e7c53b2a91b28e80309c223abe4cd594526e47062bb893c911
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9431F078B02104CFC794EB7894253FE3BF6AF89211B144069E929DB351EF308A42CBA1
                                                                                                                                                                                                                                                                        Function 067B1073 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 26d51e030aa10eb5fbe01d9866c6ab37fa2eb93a475533d954e957545c10248b
                                                                                                                                                                                                                                                                        • Instruction ID: b6c78d773fbe0237fb09e0b19bd395a5d269b2b738cce5621ccce137dd074d29
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26d51e030aa10eb5fbe01d9866c6ab37fa2eb93a475533d954e957545c10248b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6215B36F102149BEB448A7488647FE7BEADFC8240F44A076D906D7380DE74CD16C390
                                                                                                                                                                                                                                                                        Function 067B1BB0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b1e7d561aeb1ab350aa249181b00be074a9ab149de5442578de75dd58dea378e
                                                                                                                                                                                                                                                                        • Instruction ID: 930b50281105b20016fcba722b5fe672982f90b07aa3773fcaa4a036dc8ad6dc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1e7d561aeb1ab350aa249181b00be074a9ab149de5442578de75dd58dea378e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38115925B493901FDB6A073498783BB2F1B9FC6250F4851A6E980CB352DE248C03C3A4
                                                                                                                                                                                                                                                                        Function 067B2258 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a733ba3a8404439196b910505c3ea73d6f3115b2f0a30cc8b1debecd492e5c5b
                                                                                                                                                                                                                                                                        • Instruction ID: 1323c9d818eb7b7befeffa3c91398943e41a92e790ba84a9e0a0513765cd79e1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a733ba3a8404439196b910505c3ea73d6f3115b2f0a30cc8b1debecd492e5c5b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76214D75E101149FCB84DF79D844AEEBBB6FF8C720B108129E915EB321DB319941CBA0
                                                                                                                                                                                                                                                                        Function 067B2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cc058410a04b786102b1cc6d248b175ed7c1d397e69bf75fe0e50ea02ff2990f
                                                                                                                                                                                                                                                                        • Instruction ID: 42e2a6ec8db176c8f3222abe2df2355605139032aa19bfd6974440701169494a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc058410a04b786102b1cc6d248b175ed7c1d397e69bf75fe0e50ea02ff2990f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7911CE75B012188F8B94BBBD54203BF77E6AFC4251B504579C51ADB344EF348E428BE6
                                                                                                                                                                                                                                                                        Function 067B0F20 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f44a64e65912d22a43026e0f5a74101dcfa4eeafcc0215709dcfb46911908050
                                                                                                                                                                                                                                                                        • Instruction ID: dfc478c9cae093c2dd160c261646cd289cc14f5b5d6677dbaa83b572a1122657
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f44a64e65912d22a43026e0f5a74101dcfa4eeafcc0215709dcfb46911908050
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04014936B093502BDB6556792C787BF6F5E9FC6220F45657AE919CB301DA28CC01C2A1
                                                                                                                                                                                                                                                                        Function 067B1958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 492a4ec0465dddfd368e7da59cad49efd5a98c4dc3174a21ea1db46344164df3
                                                                                                                                                                                                                                                                        • Instruction ID: 0e51421c28ad40d7a32dab61646b24034a89aaabf346c7d2dc1d982e734f4d82
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 492a4ec0465dddfd368e7da59cad49efd5a98c4dc3174a21ea1db46344164df3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C117F35A40254BFDB04CF64D459ABABFBAEF8C320F159019E509A7380CB799D99CB90
                                                                                                                                                                                                                                                                        Function 067B1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8ff9e94278826161fdfff6c8a1da770b4f889a3a0a3386f455209ddc2648b59e
                                                                                                                                                                                                                                                                        • Instruction ID: 1d20bac97eeff84a7bbd8a03b2410242cecdc1da1006180a0d7c3204f76cf68c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ff9e94278826161fdfff6c8a1da770b4f889a3a0a3386f455209ddc2648b59e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B2102B1D042498FDB24DFAAC484BEEFBF0FF88214F14852AD819A7240C7756946CFA1
                                                                                                                                                                                                                                                                        Function 067B1E20 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5ee54ea78b6b5840b98d98530a2ade0b5519f3dee9d337d4e1afccb50135b04c
                                                                                                                                                                                                                                                                        • Instruction ID: 7fc08962d8105c56d9a2eca74db9f05fefc1e0ce5986b836fa1768eb80a732c5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ee54ea78b6b5840b98d98530a2ade0b5519f3dee9d337d4e1afccb50135b04c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA113035E40204BFDB44DF64D865BAEBBBAEF8C321F145029E519A7380CE756C59CB90
                                                                                                                                                                                                                                                                        Function 067B1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9c899fc7005343d0d477ddbd3b71f472b3587d8c201851da7e470c8a9041546d
                                                                                                                                                                                                                                                                        • Instruction ID: 36e0a6e818ba5ad3e87a5c0dddf3e1215db58c16e6540b39d5677510796b3abc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c899fc7005343d0d477ddbd3b71f472b3587d8c201851da7e470c8a9041546d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9311F2B5D042098FDB24DFAAC884BEEFBF4FF88224F50852AD81967240C7756945CFA1
                                                                                                                                                                                                                                                                        Function 067B1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 942198068bc4325e92f3f6aaa653927d7e1dbb1130560a9c74a433db22204753
                                                                                                                                                                                                                                                                        • Instruction ID: 178c981b2608a866c8e4561347939ac6fe471a1f8c2ed36e15390c4b40e40eed
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 942198068bc4325e92f3f6aaa653927d7e1dbb1130560a9c74a433db22204753
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05111235A40214BFD704DF54D455ABA7BBAEF8C311F155019E509A7380CF795C59CB90
                                                                                                                                                                                                                                                                        Function 067B1440 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 49323914199a76a0db3f517f01c5c7033403e8ec7fc08d4866feef6606fd7487
                                                                                                                                                                                                                                                                        • Instruction ID: bbd4d6cb31e5fa0d124d0c4751b204ebf85aaee4dc5f91d08359073ede625a6f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49323914199a76a0db3f517f01c5c7033403e8ec7fc08d4866feef6606fd7487
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2001B530E693495FDB4ACB7469313767FAAEDC720478914AAC649CF153E9248818C791
                                                                                                                                                                                                                                                                        Function 02ADD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000002.1388585066.0000000002ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ADD000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_2add000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2a342421f53a8830ec2326487b4e8fd101da3c03df30acdb80a3d3a635231b70
                                                                                                                                                                                                                                                                        • Instruction ID: 8ed6e204fb016dbffbab541ab517079af750379eabecb9377ada43e58351cd61
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a342421f53a8830ec2326487b4e8fd101da3c03df30acdb80a3d3a635231b70
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6701F7724047409FE7208F21CCC4B66BBA8DFC2224F58C52AED4B0B142CB799941CAB1
                                                                                                                                                                                                                                                                        Function 067B182B Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5bd95fc702280b03c695c93b3f7fe9276ce01e8fb224825ab227cdc83e1d87b0
                                                                                                                                                                                                                                                                        • Instruction ID: da0f8b4c49f12f13e044eb2db2c938f2aa68f7f0d813bc06f929c0d06afe502b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5bd95fc702280b03c695c93b3f7fe9276ce01e8fb224825ab227cdc83e1d87b0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B01AD75A102058BEB98EA6884683FFBBE7ABC8350F24916DD102F7380CE714C41C7E1
                                                                                                                                                                                                                                                                        Function 067B2997 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7a6e9391e23dc87145a3362a0392dc3631f7eb948d38c8332134fcfca8a8efb0
                                                                                                                                                                                                                                                                        • Instruction ID: ce33d4e11502fd56c87454469aa0710cbeb3ab9982b68e25eb8734ca18b639fe
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a6e9391e23dc87145a3362a0392dc3631f7eb948d38c8332134fcfca8a8efb0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66012632B453404FE7057770E9007B93B6ADF42321B04A0A9E9028F252DE61C841CBE2
                                                                                                                                                                                                                                                                        Function 02ADD005 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000002.1388585066.0000000002ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ADD000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_2add000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fbdf912e1cec3302617d62e5398a98ee1813369161651cbf6b45c35f73902868
                                                                                                                                                                                                                                                                        • Instruction ID: 0632026bc68c069c42e984dc347e9c33a3dc190aa5d24647ad87b906a8d77bbb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fbdf912e1cec3302617d62e5398a98ee1813369161651cbf6b45c35f73902868
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0019E6200E7C05FD7128B218C94B52BFB4DF83224F18C1DBE8898F593C2695849CB72
                                                                                                                                                                                                                                                                        Function 067B2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 50df484cf601f9c82e1c88cae1e42d179e246f35b71b226c5a368867a33cde04
                                                                                                                                                                                                                                                                        • Instruction ID: be3c82ced1587c8845eda497aa1911d57b1975efbf2ad1094631e34a05a0e1c9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 50df484cf601f9c82e1c88cae1e42d179e246f35b71b226c5a368867a33cde04
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86016979A112148FC744EBB9E4056AE7BF5AB89720B10006AE919DB350EB319902CBE0
                                                                                                                                                                                                                                                                        Function 067B1431 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d1c56dcb9d9db9fe48f3c3486ec6fa3f600ba0a794729b75e692632263a7a9d7
                                                                                                                                                                                                                                                                        • Instruction ID: 87fa99b6fb3ede436d437dd0be69375e80c65ff00f13b4dea0fc3624c65c5f0f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1c56dcb9d9db9fe48f3c3486ec6fa3f600ba0a794729b75e692632263a7a9d7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0EF0F430E553456ECB4ACB78503037A3FAAEDC7314789146AC245CF292E9248444C781
                                                                                                                                                                                                                                                                        Function 067B29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: db6d2a06df1d43fbeaabd001bc164a86842a79a2929d15cae23f068eb3299cf4
                                                                                                                                                                                                                                                                        • Instruction ID: 8d457bc0c28fde06a4d5b0f73de1f2bb3eade9663b98cf4a9b94dbcc3325b8e6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db6d2a06df1d43fbeaabd001bc164a86842a79a2929d15cae23f068eb3299cf4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3BF090327513004BEB09BBB4E91477A37AAEF85720F409528E9028F241DFB19850DBE2
                                                                                                                                                                                                                                                                        Function 067B2A20 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 670d9a7fc7149ce9c95aacb3ab007126c41d0b9ef08b4151ca84ff13dce7fcf6
                                                                                                                                                                                                                                                                        • Instruction ID: 40b164eb14ddad7f41f14b6c184e64fdd9415998b4bb143d22911a9b82a7e622
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 670d9a7fc7149ce9c95aacb3ab007126c41d0b9ef08b4151ca84ff13dce7fcf6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81E0682274F2940F872B967064143FE3F6C5C87210305B0AFE816D6083DB0C8F02C790
                                                                                                                                                                                                                                                                        Function 067B5EB0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 273193f4e72a2c4505aba709b59f459ac4a8d32fde6ac4d641e29a28132f8274
                                                                                                                                                                                                                                                                        • Instruction ID: 0f85cd7bd27f44796455e238b2124901b70bcb6e05fce19421c220071ed23d8d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 273193f4e72a2c4505aba709b59f459ac4a8d32fde6ac4d641e29a28132f8274
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7E0863934A2A00FD725573CA4646AA3F6A4B4B31070941D7E181CF277C9518C028355
                                                                                                                                                                                                                                                                        Function 067B17F0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: afbe7a471cdc6089dff3cfc398fb72a691e26b86ac1aed8d2ab0217f8847a6c2
                                                                                                                                                                                                                                                                        • Instruction ID: 28e87edf11f0ab40634ecb548a20b938c557394a5ec53cdc52730941297ee082
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: afbe7a471cdc6089dff3cfc398fb72a691e26b86ac1aed8d2ab0217f8847a6c2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25E0863612A1D40EC7464B24B4212E63F7756561513086167E992CB662CE510D52C764
                                                                                                                                                                                                                                                                        Function 067B2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4997e2dd3bbfa0c75e5f483873964703b644ad583f848ddf540d47908dd72f56
                                                                                                                                                                                                                                                                        • Instruction ID: 4e6f0b6f46f3aa4fcd76ffb5a93cb8b3ff0ca0f6fd324833775a3aaebe17640f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4997e2dd3bbfa0c75e5f483873964703b644ad583f848ddf540d47908dd72f56
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15D0C2327422288B9A2425A664043FE358C9B45751B016029E82AC2281DF0CCE418784
                                                                                                                                                                                                                                                                        Function 067B2959 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7d0e935077f831197a4a6aaf21970ca6fbec54c2d2bff1c50a2ad336eea22392
                                                                                                                                                                                                                                                                        • Instruction ID: a8edbb539671ab9ab2b82aa24a1cc182fd64355dd52ed7ea3acf9e5999f7aa8c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d0e935077f831197a4a6aaf21970ca6fbec54c2d2bff1c50a2ad336eea22392
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5E0DF7190B3459FCB06CFB0A8057A97FF9EF16200B2085EBD818EB222DA300E04CB60
                                                                                                                                                                                                                                                                        Function 067B0C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cb883a87e821cc1853b1d3a9ed8b0d5ff40b5c79c6960990e1ab6ea05ed5e9a3
                                                                                                                                                                                                                                                                        • Instruction ID: 3da7b71f86fb45e57ad858cabf3ead4b0bd1273bf2a56762f52f759127679c06
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb883a87e821cc1853b1d3a9ed8b0d5ff40b5c79c6960990e1ab6ea05ed5e9a3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02D0A7313542205FE200665CD450A6D339DDB4A714B40545AF10ACB320C991FC0003C9
                                                                                                                                                                                                                                                                        Function 067B0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 48cc4a1a35e9a26aaf9cc0ceb42a5bd61175fdce88eb5c8be16d18bed6778340
                                                                                                                                                                                                                                                                        • Instruction ID: 3b775ccae9ea6c5b2e723d08fb23a6906a4069fe712405acee43996fa76ee730
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48cc4a1a35e9a26aaf9cc0ceb42a5bd61175fdce88eb5c8be16d18bed6778340
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40D0A7322151286F52406659D869BAA77E9E7852B1750A427FE0287210CEA06C6187EA
                                                                                                                                                                                                                                                                        Function 067B0440 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4d4ea835d9ddc435c12a45803f7e633190b6f59cb871ea8382449414bcaccaef
                                                                                                                                                                                                                                                                        • Instruction ID: a455dc831e16b610edcd01a5c21608c0f51b8c9bb577d9cb91706502fde44dc4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d4ea835d9ddc435c12a45803f7e633190b6f59cb871ea8382449414bcaccaef
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CBD0A9B29AC3C25FE382839404881E8BF20FA3320C7CEA293C08188413C328C4A7C332
                                                                                                                                                                                                                                                                        Function 067B2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d85bb64a07ad7de326f956d60d2d4411693a0122ecb0c8161754d3df2d56603b
                                                                                                                                                                                                                                                                        • Instruction ID: 5ff6168157be61d756a780c4adca071aeb369292eccc2956b9cee9f29c4746a5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d85bb64a07ad7de326f956d60d2d4411693a0122ecb0c8161754d3df2d56603b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2ED05E71912209EFCB00DFB4E941A5EBBFDEB49310B2086A5E80497211EA705E009FA0
                                                                                                                                                                                                                                                                        Function 067B0E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000006.00000003.1387790770.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 58805b6cfca72a4aa85d188593cf4d1383169f762ed6d36d0c146ade36645016
                                                                                                                                                                                                                                                                        • Instruction ID: d24e9a7276d8261b5f36c752e8cd4ec8973e072266ef5a95cd29f7eaa31a4e15
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 58805b6cfca72a4aa85d188593cf4d1383169f762ed6d36d0c146ade36645016
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45B012896581005B7680AA314CF47EB40829AC2100BC0FC00600274004CC14D0000029

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 00007FF7BFC90C1D Relevance: 2.4, Instructions: 2359COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 904ed6fc9c64dd75150585bbc473402b05049ed0bfbd93d8f9b41453515a07a0
                                                                                                                                                                                                                                                                        • Instruction ID: 2c74b5bd707fb62d6782e0bbc17eb9aeb599e0f9a3f3a620126d6130cbe02f2e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 904ed6fc9c64dd75150585bbc473402b05049ed0bfbd93d8f9b41453515a07a0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB13BD70D086598FDB9AEB68D8997E8B7B1FF56300F5041FAC00ED7296DA396981CF10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9C922 Relevance: .5, Instructions: 462COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d5cd991c6b1ec8a659892a0cf6fcbe63deb4a52c3cce78868b884601e3e64bd0
                                                                                                                                                                                                                                                                        • Instruction ID: 93f70c0766ceefd01c2903efc5c9e44b8a9177c76e2f336c0e362ce488af3f0e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d5cd991c6b1ec8a659892a0cf6fcbe63deb4a52c3cce78868b884601e3e64bd0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82E1F630908A8E8FEBA9EF28D8557E977D1FF55310F44826ED84DC7296DF34A9808781
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9184E Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6d2ebbe66a0769e25ad66abbcbc60bd2624bf57ee28915256bfa74dc0c3368c8
                                                                                                                                                                                                                                                                        • Instruction ID: 165bb3e5d515cf5c8619b237e7a017a604708555e0a04dc4a47f9f66d86a1b73
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d2ebbe66a0769e25ad66abbcbc60bd2624bf57ee28915256bfa74dc0c3368c8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3916F70D086998FE79AEB6894597F8B7B1EF26700F5050BAC10DE7295DA395EC0CF10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC91E7E Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c8b498e690d5d578f2d23ec3babbea26e681f188575b423460907533e7d2b7e0
                                                                                                                                                                                                                                                                        • Instruction ID: 4058ea35932b836d46945dd486ba7d9ae306dd4493d700030dacf9f05e3d70d6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8b498e690d5d578f2d23ec3babbea26e681f188575b423460907533e7d2b7e0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1713D70D4865D8FEBA6EA68A8497E8F3B1EB66700F9090F5C14DD3295DA346EC1CF10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC91EA1 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 51b6b08ba8523ae869b299d685b94f6c2d55c32beb661c0cbce651543c23bbc2
                                                                                                                                                                                                                                                                        • Instruction ID: c846f2e0a4734a79ea2ceb059d7c69cf6b68b661d667a10d17f54644792a409d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51b6b08ba8523ae869b299d685b94f6c2d55c32beb661c0cbce651543c23bbc2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58515F31D0865D8FEBA6EA68A8497E8B3B1EB66700F5080F9C10DD7295DA346EC5CF50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC91EB6 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 41a8f209adb893aa06a81f793b39801c213a9a1e63c563dd7d9c93261ace1420
                                                                                                                                                                                                                                                                        • Instruction ID: 553632e1fec899b542e2ccf36568d753dbafd9942a2600f0f7ce21588641c901
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 41a8f209adb893aa06a81f793b39801c213a9a1e63c563dd7d9c93261ace1420
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB513D71D0866D8FEBA6EF6898497E9B3B0EB26700F5080F5D10DD3255DA34AAC5CF10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC95988 Relevance: 1.7, Strings: 1, Instructions: 413COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: M_^
                                                                                                                                                                                                                                                                        • API String ID: 0-3807191693
                                                                                                                                                                                                                                                                        • Opcode ID: f099c679854c0297894817f093a2bf93aab5f92dab16c79b9cf91e6fc695834e
                                                                                                                                                                                                                                                                        • Instruction ID: c4c337664e870a2c1d8f36ce00c9243921b4c8ae91257a1e14eba12f1bc0dde1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f099c679854c0297894817f093a2bf93aab5f92dab16c79b9cf91e6fc695834e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8D10A2290D6864FE356B76CB85D1F8BBE0EF63221B4447FAD18DCB0D6ED1C18498365
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94A4B Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: r3}2
                                                                                                                                                                                                                                                                        • API String ID: 0-2484714233
                                                                                                                                                                                                                                                                        • Opcode ID: 755f38c8e512500c2636d6667a69cb588e128f9b9ca4370fc8acccb4e9b0dafd
                                                                                                                                                                                                                                                                        • Instruction ID: c62b9e2ce042bee9e93af1c16fbea739a17488995f8b5cd81f7de62869a6a254
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 755f38c8e512500c2636d6667a69cb588e128f9b9ca4370fc8acccb4e9b0dafd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6110A30A08A4DCFDB45EFA8D855BE9B3A1FF95700F9585B9E00CC7286CE35A842CB01
                                                                                                                                                                                                                                                                        Function 00007FF7BFC90C89 Relevance: .9, Instructions: 918COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8df1aa3251c95c7cb0735aafeab0e1c022321405aba493fb0ded858497aaed6c
                                                                                                                                                                                                                                                                        • Instruction ID: 36dafe3cf0fad28eb4fb6ca26405cc0ad355148bc04f87d3a8fa3066116652ac
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8df1aa3251c95c7cb0735aafeab0e1c022321405aba493fb0ded858497aaed6c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5824870918A5E8FEB9AEB18C4997E8B3B1FF69304F5041F9C10ED7295DA35A981CF10
                                                                                                                                                                                                                                                                        Function 00007FF7BFD80853 Relevance: .8, Instructions: 809COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468657951.00007FF7BFD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFD80000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfd80000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 36065d539e6df4a41aa27077a50cbf12fef9e8a3b64e7fbb0f8b46f2f8f22f84
                                                                                                                                                                                                                                                                        • Instruction ID: cbe25f2452624771a623be3ecb05e9d46321dc2938b4e96c13bbd080ca314566
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36065d539e6df4a41aa27077a50cbf12fef9e8a3b64e7fbb0f8b46f2f8f22f84
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1F13C31B0CA854FE759A76C982D6B8B7D1EF67710B4405BED08EC72A7CD18AC4287D1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9B679 Relevance: .4, Instructions: 416COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f09045712e20c211e316ece4ac251b02387929bfff46a952104fc363a2695b33
                                                                                                                                                                                                                                                                        • Instruction ID: 8512596d1410aed1cc6d33ce652bc0eba3f9655f20f637ca2146a656e733e4f6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f09045712e20c211e316ece4ac251b02387929bfff46a952104fc363a2695b33
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30D10730908A8D8FEB69EF28D8557F977D1FF59310F44826EE84DC3295DB34A9448B82
                                                                                                                                                                                                                                                                        Function 00007FF7BFC97A45 Relevance: .4, Instructions: 384COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: db5282a12c624419f40ebf4398cd251ff02f21c80fa1562a8adb0b4a858f8cf5
                                                                                                                                                                                                                                                                        • Instruction ID: aec1066e19875e2abc9f24aa5f77fce25459a1e8dc2dce379e62464622f0e551
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db5282a12c624419f40ebf4398cd251ff02f21c80fa1562a8adb0b4a858f8cf5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DCD1057090E6C98FDB46EBA898196EDBFF0EF17310F9441FAD148DB1A2DA285844C761
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9835B Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2a588837e379b24dbcfba78caef143bfe837b4a626db417dd70f61dd6db53ad7
                                                                                                                                                                                                                                                                        • Instruction ID: 0e2652b8d733bf8131f19d2531655525d4b5b3cd0b5b59c4236420312e3c8980
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a588837e379b24dbcfba78caef143bfe837b4a626db417dd70f61dd6db53ad7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BAE1C370909A5D8FDB99EB58D498BECB7F1FF29301F5040AAD00DE72A1DA35A984CF10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC96772 Relevance: .4, Instructions: 364COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 45a20a104afffd5002720c87aa4623878d53ea8e320df335090ef3d7ead2ec1c
                                                                                                                                                                                                                                                                        • Instruction ID: 5251f90ed56c82e0545de5b4c4935edba1a3f89c21a5efe5de2657930c13286d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45a20a104afffd5002720c87aa4623878d53ea8e320df335090ef3d7ead2ec1c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82C14C3090C6CA4FD756EB6C9819AE5BBE0EF23710F4442F9D14DCB1E7EA18A8498790
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D7BE Relevance: .3, Instructions: 331COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d4cf7bdaeac7c7c427f21b31f4288907eccee62ad2d4814f88073e3d80b5f836
                                                                                                                                                                                                                                                                        • Instruction ID: f2000e0ee1dd0c33074031fab78ec6132871ad6345439c08f27da7c79e0ce51d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4cf7bdaeac7c7c427f21b31f4288907eccee62ad2d4814f88073e3d80b5f836
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57C1C67090895D8FDF94EF58C898BA8BBF1FF69301F5141AAD00DE7262DA34A985CB41
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9337D Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9deafa4ac7361bc43a672156fa2fc1f2bb47ea4ce528b90e72a07dcd463fade2
                                                                                                                                                                                                                                                                        • Instruction ID: 0141e7141f2fd46f82b0d978eceac5a1f5cb685b68fa12f43628e9e470098575
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9deafa4ac7361bc43a672156fa2fc1f2bb47ea4ce528b90e72a07dcd463fade2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85C1A07090DA8D8FD79AEB68D4587E8B7B1FF66300F5041BAC04DE7296DB396981CB10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC91B2F Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bef8af086a15f1a2d072b754ae670abac8e10c5c323913fb9ed4e922fadd5ad2
                                                                                                                                                                                                                                                                        • Instruction ID: c10ddf8e7f9dda8346a37d1706683198385b4ae4f0007e876e0842576a3b6d2d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bef8af086a15f1a2d072b754ae670abac8e10c5c323913fb9ed4e922fadd5ad2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2FA13E30D0866D8FDBAAEA18D8497E8B3B1FF66700F5081B5D04D97295DA746EC0CF10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9E641 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6c16c4dda5a53fcd743f1a5dbabe69964ff9653869d647fe01cf659e48cf6a06
                                                                                                                                                                                                                                                                        • Instruction ID: 01be8651364101a0717d06de859155ffd92c554acbd9685bb39523e43e2cf264
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c16c4dda5a53fcd743f1a5dbabe69964ff9653869d647fe01cf659e48cf6a06
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5615C30D0894D8FDF85EFA8D499AEDB7B1FF6A300F500469D10AE7295DB35A880CB61
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 91b056387baca79d69f6c2c00a5e996501b83c58874d0876cfc1246c58987048
                                                                                                                                                                                                                                                                        • Instruction ID: 07590192ff83b56d29a0157e295812b035f78e7da0c7e6dd452621b4371e95d1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91b056387baca79d69f6c2c00a5e996501b83c58874d0876cfc1246c58987048
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A518031D08A5C8FDB99EB58D845BE9BBF1FB59310F1082AAD04DD3252DE34A985CF81
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9476A Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0e14463cb5e07b06bf43a1288a91a3a2a413f8320d2b998609815b129b45e830
                                                                                                                                                                                                                                                                        • Instruction ID: 5e3362cfb0fa009d353f9aa7bb6235ce3cb112a9056b7a4b2630d256e2a4d935
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e14463cb5e07b06bf43a1288a91a3a2a413f8320d2b998609815b129b45e830
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0351D561D0DAC69BF302B6B8685D1F5BB90FF33A14B8881B6C158870C7FE196855C3A1
                                                                                                                                                                                                                                                                        Function 00007FF7BFD80001 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468657951.00007FF7BFD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFD80000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfd80000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: df159698499ec9d938397149934ea9e0aa65de179253c4334cb9a5eb24eaa191
                                                                                                                                                                                                                                                                        • Instruction ID: 964058c93afee17d0e0fc2c87c7f038ed836d0dccd0cd45cee4b22e51a9e612b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df159698499ec9d938397149934ea9e0aa65de179253c4334cb9a5eb24eaa191
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF41957071CA4C8FD758EF1CE499A78B7E1FB99B10B5106BAE54BC3265CE24EC428781
                                                                                                                                                                                                                                                                        Function 00007FF7BFD804DE Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468657951.00007FF7BFD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFD80000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfd80000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cecf69b3ac6c19ed6df71ea7b84b307f7b5835ce41b744da37a633b6fe248d2e
                                                                                                                                                                                                                                                                        • Instruction ID: 026edd4a5d1b06ed64614c9edc0b811e98c9c1571fb273d10f945cce343b6efd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cecf69b3ac6c19ed6df71ea7b84b307f7b5835ce41b744da37a633b6fe248d2e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D412861A0DBC54FE797977C48695A47FE0EF6761034A01FBD089C72A7DD18AC06C3A1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC963FB Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6710a16be2345e5fd19861c179bf23e22dc7e40d4c158ec7f7e1c3776801ad67
                                                                                                                                                                                                                                                                        • Instruction ID: 2fb4db42dbe0e6141e0c8760da98ee0aa9124a43f0902b410e57b0b4a670a27f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6710a16be2345e5fd19861c179bf23e22dc7e40d4c158ec7f7e1c3776801ad67
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34413731A0DACA4FDB46FB6898184E9BBA0EF67354F8406BAD04DC30D6DE24AC01C350
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D20F Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4009437eb846b35aeba92b1d0a7f79d377374318d2684ab99fffe409ff62283d
                                                                                                                                                                                                                                                                        • Instruction ID: a60a580e8a2fab982688897bc00dd40a2753b2ff9759fe060793a89a6cd8473d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4009437eb846b35aeba92b1d0a7f79d377374318d2684ab99fffe409ff62283d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A831F930D0894DCFDB85EBA8E4596ECB7B1FF6A701F9041B9D14DE7295DA38A881CB10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D132 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 05dc306a5902161bac05f7ebf85b0fec53ea2600e5c991f8a818d54c600d95c0
                                                                                                                                                                                                                                                                        • Instruction ID: 28cbad7b8ea377aced6cae74a23db63e2c7f99ce9fb70637edb5053711aa161a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05dc306a5902161bac05f7ebf85b0fec53ea2600e5c991f8a818d54c600d95c0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E931B431D08A8D8FDF92EBA8D458AECBBF0FF1A310F4441B6D148E7192DA386845CB11
                                                                                                                                                                                                                                                                        Function 00007FF7BFC97DC1 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 758c1b81fdfdf8747ed137e9d601fc1bafd2bf5dea26e00246be450c3b18f7d9
                                                                                                                                                                                                                                                                        • Instruction ID: a9b36d62fb6a90e9f2842211dae012aaa7ab125a411cf78d331c9338cdd29fae
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 758c1b81fdfdf8747ed137e9d601fc1bafd2bf5dea26e00246be450c3b18f7d9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52218171D09A8C8FDB81EBACD449AEDBBF0FF59310F50017AD108D7152EA386840C710
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94EFA Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8306c1a54b84bab6dab8924aa7f83843df66bf7170d152bf944189ac169138c3
                                                                                                                                                                                                                                                                        • Instruction ID: a29f44424a69ff1aac833fce90c764a8733eb333cc1555d9afc56ca284d8feb1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8306c1a54b84bab6dab8924aa7f83843df66bf7170d152bf944189ac169138c3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD21C532A0969E4FD702AB6CE8555E6BBA0EF85320B4543B7E00DC3297CE349845C761
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9E6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2f54d78967f339fd28155c53a609b6be0128dfd7776c78d08d6f422a182f6759
                                                                                                                                                                                                                                                                        • Instruction ID: cf1f5ba79e0de8aa15f1889c118e30551fa436b5cd0022924c5894d6f3e8a0ee
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f54d78967f339fd28155c53a609b6be0128dfd7776c78d08d6f422a182f6759
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2218E3090865D8FDB49EF98E814AFEB7B1FF66700F40417AE109D7295DB346840CB61
                                                                                                                                                                                                                                                                        Function 00007FF7BFC979CC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b124a20550174573bcf73a805f2209045828e4c6d03366b4948e5274bb394b08
                                                                                                                                                                                                                                                                        • Instruction ID: 7d20ea6c9e8c051d49509773721070d449c459de19bf330233ada2ea60e8b27a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b124a20550174573bcf73a805f2209045828e4c6d03366b4948e5274bb394b08
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6112631E09A8E4FE745E7ECA8069EDFBB0EF56251F9042B6D10DD7196DE1828418322
                                                                                                                                                                                                                                                                        Function 00007FF7BFC93B7D Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a20edee4933021e2bb220bd133075054ea4d92cfdf9701d7da2b0e4f303225c2
                                                                                                                                                                                                                                                                        • Instruction ID: faaa45ff1de055200fa8d3553acdb41adbc1a018c4480c05a9bb651a15e90fdf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a20edee4933021e2bb220bd133075054ea4d92cfdf9701d7da2b0e4f303225c2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D11E271D0CA8D8FEB46EBA894556FDBBB0EF96310F4042BAD209D71C3DB2864548B51
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9523E Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: af6c39e724097145fa2e86bdc7f4f8ec4da40b3c212407759935ab9235732c98
                                                                                                                                                                                                                                                                        • Instruction ID: f36bca369154cbafed997ff84a1560a2391f5b1e26597a178332fe48ae463f54
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af6c39e724097145fa2e86bdc7f4f8ec4da40b3c212407759935ab9235732c98
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15012431608E890FD78AEB2C9458AB0B7E1FFA621074941AAD00DC7297DE18E845C351
                                                                                                                                                                                                                                                                        Function 00007FF7BFC932B8 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 47ac0d7e482b1b2240b857c1652c892ff2b6207d57b52f295baa4926f8511420
                                                                                                                                                                                                                                                                        • Instruction ID: 22d547ba9d2c6888a9eb140d5033746b34afbd041294e443e9b0b0b48ec793ef
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47ac0d7e482b1b2240b857c1652c892ff2b6207d57b52f295baa4926f8511420
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E701B174C0C6898ECB42EBA8940A6FCFBB0EF97305F4081BAC15CA7196D63C5584CB50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC95260 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ed5286c3894bb644b697de07299e23b8ef211fa8a257f995011d8868775c7651
                                                                                                                                                                                                                                                                        • Instruction ID: 4e0688c2712a5cba2eec4f6cbe0ba5a5efb325eb8ed971d847ddaca95f8c02f2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed5286c3894bb644b697de07299e23b8ef211fa8a257f995011d8868775c7651
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84F09031714D4D4F9A99EB2CD494AB5B3F2FFE831074942A9E40EC3296DE25EC818781
                                                                                                                                                                                                                                                                        Function 00007FF7BFC96E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.1468272839.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                        • Instruction ID: 989b98e2c9e0a2ab9e530148b11500bab3d2b89debb54cc8661eeb54284db04e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1A00202ACA4AE01944530DE78870D8F244C796671BC57572EE0C8418EA98E59D61299

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 00007FF7BFEAF911 Relevance: 2.4, Strings: 1, Instructions: 1117COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: (,_H
                                                                                                                                                                                                                                                                        • API String ID: 0-816934768
                                                                                                                                                                                                                                                                        • Opcode ID: a1546bdd3960d8c121481cdf5c8efa8fc7b0125586cdef238b9d009d711502c0
                                                                                                                                                                                                                                                                        • Instruction ID: 53d887164c536e127c56fdfa09c2ebebf4c006f13851dcde902e223468fb593c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a1546bdd3960d8c121481cdf5c8efa8fc7b0125586cdef238b9d009d711502c0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B82A930A18A898FE799EB6C84956F9B7E1FF95710F5441BDD00EC7296CE38B842CB41
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA1CF0 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                        • Opcode ID: 38927799a1a6918e2afc9af0e071595c3c2af8859920fdeee6ced0a80400a2d4
                                                                                                                                                                                                                                                                        • Instruction ID: 7491b7897b4e0be9ca040f2baf516fd881dcc42e4306882689d00933b03df799
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38927799a1a6918e2afc9af0e071595c3c2af8859920fdeee6ced0a80400a2d4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1A1293091DAC64FE35AEB6C94493F6F7E1EF96700F444679D18AC219ADE28B842C741
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA186E Relevance: 1.0, Instructions: 952COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ee86ea9a0a8d8052bb167ba3872b50a4741c17ce900eda8b1886f739df654022
                                                                                                                                                                                                                                                                        • Instruction ID: a8ee5314b617ca955648458ff1e0a0fcac6c152334d810987c2ddc00b39826af
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee86ea9a0a8d8052bb167ba3872b50a4741c17ce900eda8b1886f739df654022
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74620930609A898FE794FB6C8459BF5B7E1FFA9700F4441B9E00EC7296DE28AC41CB51
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA9013 Relevance: .8, Instructions: 812COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8f31a9d5b54501776370a8b87462a89b0d1d281ac7f43917446cdb6b9e502f4f
                                                                                                                                                                                                                                                                        • Instruction ID: b38f352c7bc696d844f04cbcdb2fc877da36e61c1fa412dc8af086403c49c72b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f31a9d5b54501776370a8b87462a89b0d1d281ac7f43917446cdb6b9e502f4f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3462593180E6C64FE366976C945E6E47BE0EFA3710F440AF9C18D8B5EED9287846C711
                                                                                                                                                                                                                                                                        Function 00007FF7BFC90D3B Relevance: .3, Instructions: 304COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 684c7088b895fe2b24e30e458e8fecfd01d8713de5f468c75d679b9583e6975e
                                                                                                                                                                                                                                                                        • Instruction ID: d7f4354fdea2b7a71e5f0e01c624298288b670da86e61fa08a69f2d7e6993389
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 684c7088b895fe2b24e30e458e8fecfd01d8713de5f468c75d679b9583e6975e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8B19B309086598FEB99EF28D8587E9B7B1FF59300F5081EDD00ED7295DA386985CB20
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94E6B Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 94c25e032b45515ee5193a07bd2a8b335fd5656cde91e04127db8b4332c4158d
                                                                                                                                                                                                                                                                        • Instruction ID: 059efc5695046bb1c702dc23c9b7a4a9f8608dc20e6db990da07c23bfc49b3ee
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 94c25e032b45515ee5193a07bd2a8b335fd5656cde91e04127db8b4332c4158d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B041C030D0964A8FD785EFB898592EDFBE1EF56700F8481BDC009971D2DA385885CB60
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA068A Relevance: 2.9, Strings: 2, Instructions: 393COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: H$d
                                                                                                                                                                                                                                                                        • API String ID: 0-989806989
                                                                                                                                                                                                                                                                        • Opcode ID: 35d4aa316ffbd6d8014da1898a43c1aeff4fcd05f63c044e0c84edda593695ae
                                                                                                                                                                                                                                                                        • Instruction ID: e0100af591f4cdf5814f00ad85e3e6748f7ff1436f2f6fcf2d8f1dbd0796de1f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35d4aa316ffbd6d8014da1898a43c1aeff4fcd05f63c044e0c84edda593695ae
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8CC15730619E8A4FD798EB1CD444AB6B3E1FFA5740B544A7DD04EC324ADE35F8828780
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA53A0 Relevance: 2.3, Strings: 1, Instructions: 1016COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: I:_H
                                                                                                                                                                                                                                                                        • API String ID: 0-2877300948
                                                                                                                                                                                                                                                                        • Opcode ID: 2877ec17c90401c049ea0d35c1734f8cb7e791309a074b0ef3fd9b8e3523a933
                                                                                                                                                                                                                                                                        • Instruction ID: 36af53cfb21dac883c02c21b48bae8af7c6e5562a40beae7c0c5ac7f2b946776
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2877ec17c90401c049ea0d35c1734f8cb7e791309a074b0ef3fd9b8e3523a933
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C262D23061DB8A8FE794EB6C84556B6B7E1FFA9700F504579E04EC32A6DE34E841CB42
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9DE20 Relevance: 1.8, Strings: 1, Instructions: 532COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                        • Opcode ID: 4f7daabbebc6e05e524b2d840cb7870625f9325096e75cc36165d4cb08b10350
                                                                                                                                                                                                                                                                        • Instruction ID: 56ebcfe2b732bcde3f42c40fd0116d7260500884f7b08d9fa4085b7d3215904f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f7daabbebc6e05e524b2d840cb7870625f9325096e75cc36165d4cb08b10350
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2AE14E30B1CA894FE749EB2C94595B9B7E1FFA5710B40427EE04EC3297DE24E842C752
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA43F2 Relevance: 1.7, Strings: 1, Instructions: 452COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: 44c47735068107354f8d485e954952d3073209f9d790106a5220da01435b4dc9
                                                                                                                                                                                                                                                                        • Instruction ID: 108f39429974c433dcc12a5893e723916197235bffc1e3883bf38e5563d997ef
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44c47735068107354f8d485e954952d3073209f9d790106a5220da01435b4dc9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56D11430A19A898FD758EB5C94486B5F3E1FFA5700F5446BDD04EC329ACE35F8828791
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9E5B8 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: 7aadac5cfc12e2525e801157d4a7bec208f1058b148357a04d7d10c59baa066e
                                                                                                                                                                                                                                                                        • Instruction ID: 6e3b5f69fe7793eba398b56959b7515194d5e0c60d78b47b4ad023131e79209d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7aadac5cfc12e2525e801157d4a7bec208f1058b148357a04d7d10c59baa066e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2C1213061DB858FD368EB5CD4455B6B3E0FFA6750B504A7DD18AC328ADA35F8838B81
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA57D5 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: I:_H
                                                                                                                                                                                                                                                                        • API String ID: 0-2877300948
                                                                                                                                                                                                                                                                        • Opcode ID: d4d84ad1384f7344cfb9a38f99d253c1080cd03e9f68a8d2368f538d4c72c08d
                                                                                                                                                                                                                                                                        • Instruction ID: 771961631079395c7e6baee726d578e5fdee0b18ff3608893614725fafdbf995
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4d84ad1384f7344cfb9a38f99d253c1080cd03e9f68a8d2368f538d4c72c08d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BC1C230619F8A8FEB98EB6C8455AB6B7D0FFA5350F40417DD44EC31A6DE24E841CB42
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA3BA8 Relevance: 1.6, Strings: 1, Instructions: 379COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: c3b30259cbae479900424c49b8f605474bffbc829c08d74bec5eaac22e6c778b
                                                                                                                                                                                                                                                                        • Instruction ID: ee12a0fcd2f73095a217a1461be8500ff1d3e7f245cea1de44946167ab4ae526
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3b30259cbae479900424c49b8f605474bffbc829c08d74bec5eaac22e6c778b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7C1E13061CB858FD768EB5CE445575F3E1FFAA710B504A7DD18AC366ACA31F8828B81
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA5B80 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: L_H
                                                                                                                                                                                                                                                                        • API String ID: 0-402390507
                                                                                                                                                                                                                                                                        • Opcode ID: e60068080e2fc2579f003bed157f35efc33a0096e755f5479caa2307dd41b9c9
                                                                                                                                                                                                                                                                        • Instruction ID: ac980b9798b0349f6fc43b3d4bcbf40176a17d2a41696d4fbf8db246b87d1373
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e60068080e2fc2579f003bed157f35efc33a0096e755f5479caa2307dd41b9c9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15813723F0EC9A8FE2A9A6AD341C2F4A3C0EB7EE517909D77C14DC719DDD14AC810691
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA07A9 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                        • Opcode ID: d0c8d5a08ab153723123eee38a99c0d43a02a7af10b86348231cb9c71c2f8818
                                                                                                                                                                                                                                                                        • Instruction ID: 4df8e8acb1ca39cd59f4ef52a2ed4a1e9c561b625eb690a809a0796280ec6b36
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0c8d5a08ab153723123eee38a99c0d43a02a7af10b86348231cb9c71c2f8818
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3691F230618B498FD768EB4CD445976F3E1FFA9750B504A7DD18AC324ADA31FC828B81
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9F2D3 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: /X_H
                                                                                                                                                                                                                                                                        • API String ID: 0-4271806277
                                                                                                                                                                                                                                                                        • Opcode ID: 23de12a8f1441b0a06f564e8ce5c29ff8970ac0947647de257549610c6755ce3
                                                                                                                                                                                                                                                                        • Instruction ID: 940febff4bc955812d7fac468ab68c7e97b1689bc9bc19a6b25de1732332ecae
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23de12a8f1441b0a06f564e8ce5c29ff8970ac0947647de257549610c6755ce3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34915C70D189998FEB99EB6CE8987ECB3B1FF54740F5001BAD00DD3296DE3469828B54
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA667F Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: ::_H
                                                                                                                                                                                                                                                                        • API String ID: 0-3523882918
                                                                                                                                                                                                                                                                        • Opcode ID: d6ca7759c18fc938480949aedf438780a3d4d3d2719eee1fa6b47f6509a90666
                                                                                                                                                                                                                                                                        • Instruction ID: 1c9bd3d25674848988aa1052c5eb1e6727d241cfcbba29ac1ac7721cb9fbd2b8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6ca7759c18fc938480949aedf438780a3d4d3d2719eee1fa6b47f6509a90666
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73814A31A19A4E8FEB58EB6C98552F9B3E1FFA6710F4041BAD00EC3195DF24AC428B51
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D0C0 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: ^M_^
                                                                                                                                                                                                                                                                        • API String ID: 0-3273950326
                                                                                                                                                                                                                                                                        • Opcode ID: 861034e610f6581e4b42864347ce2a78119b5b448766765d848062e6723cca4e
                                                                                                                                                                                                                                                                        • Instruction ID: 68033ea98d9f959ec9ae41f31cd80e603b8da538cad8af5d500b1c53d702ce2f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 861034e610f6581e4b42864347ce2a78119b5b448766765d848062e6723cca4e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7951C722A4CB968FD303B77CA4691E47BE0DF5327574943F7C189CE0A7EA182846C3A5
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9813C Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: X
                                                                                                                                                                                                                                                                        • API String ID: 0-3081909835
                                                                                                                                                                                                                                                                        • Opcode ID: 2bb912a26feb2f08298503021d2ab59bbbafcfb5fe1af7fc17fb44b5d5381b36
                                                                                                                                                                                                                                                                        • Instruction ID: 76ab1527661a321ee2d1a99d7850ece506e9a4901ee2ad946846cbf092b1af12
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2bb912a26feb2f08298503021d2ab59bbbafcfb5fe1af7fc17fb44b5d5381b36
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5615A70C09A598FEB95EBA8D8597EDB7B0FF55310F9041BED009A32D2DB382985CB50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9E150 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                        • Opcode ID: d5deba5359393f799383d4dcb669cf9b086d91b4459d546ed7d18de69141824d
                                                                                                                                                                                                                                                                        • Instruction ID: 81e2f6fe0d9e879d7573a442a4742bcc2a589d8986ecc8a6b41d3ba03a691b84
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d5deba5359393f799383d4dcb669cf9b086d91b4459d546ed7d18de69141824d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83412930B08E4A8FE389EB7C94592B977D1FF99750B4442BAD00EC7297DE28A8428751
                                                                                                                                                                                                                                                                        Function 00007FF7BFC92F45 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: _O_H
                                                                                                                                                                                                                                                                        • API String ID: 0-2361950764
                                                                                                                                                                                                                                                                        • Opcode ID: a86967177ababc19092bd81f21163df5d243529976ef9801df2cae051a1093aa
                                                                                                                                                                                                                                                                        • Instruction ID: a1768e0f6f79227a67951c0c4d0edc2c52d137f87756a9fd08a1b062d3dc85c0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a86967177ababc19092bd81f21163df5d243529976ef9801df2cae051a1093aa
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90510770908A5D8FDF94EFA8D455AEDBBB1FF69301F501169E00DE3295CB34A881CB90
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA5A2B Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: {q
                                                                                                                                                                                                                                                                        • API String ID: 0-267941131
                                                                                                                                                                                                                                                                        • Opcode ID: 94546ebce9d8e4cc63b0d319fe33c7a5cff96d6f2f19602797bbf4d46170d1d2
                                                                                                                                                                                                                                                                        • Instruction ID: caeaf28751913906b545a02c4f5d440d55ffa620cd427b07ba5940d5954b27a3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 94546ebce9d8e4cc63b0d319fe33c7a5cff96d6f2f19602797bbf4d46170d1d2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1231F321A0E7C55FE386B67C685A1E5BBD0EF5772074944FED049C7097EC282C828762
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9CFF7 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: tM_^
                                                                                                                                                                                                                                                                        • API String ID: 0-212585260
                                                                                                                                                                                                                                                                        • Opcode ID: b68fe3f668af120338c73a132dea19caa61dea7cc6d45804d5f76363cdfa85f6
                                                                                                                                                                                                                                                                        • Instruction ID: 9bd5a15071695d48f2571c45d081294608e5a7e12b29b9100814fdc0320e92b7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b68fe3f668af120338c73a132dea19caa61dea7cc6d45804d5f76363cdfa85f6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4311632908956CBE702BB7CF8491F97B90DF22334B084377D54DCA1A7EF2864868698
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB479A Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                        • Opcode ID: dcf9de6302a6ef8f015c8261a2b0803a66a2163cd7421f0fd0a101c26ac6c08e
                                                                                                                                                                                                                                                                        • Instruction ID: 2e343e3291bd99bd3250d7ef4b42b2ca20c92e3fa8e1dc95dbf93bba4a430885
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dcf9de6302a6ef8f015c8261a2b0803a66a2163cd7421f0fd0a101c26ac6c08e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4531B031608A0BDBE654EBBDE4892E5B3D1EF942287244336E04EC254ADF24F8528794
                                                                                                                                                                                                                                                                        Function 00007FF7BFEAA8ED Relevance: .9, Instructions: 860COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 691199c0667ae60d582d50e4a8c0cccccda46bb4f11327c85bc0f7f4a7ae7f93
                                                                                                                                                                                                                                                                        • Instruction ID: 9a3bef5447f539c600f909eb34392b6776e3ea6a3730ed8478fed7a09fcd30f8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 691199c0667ae60d582d50e4a8c0cccccda46bb4f11327c85bc0f7f4a7ae7f93
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD524830A1CA868FEB95FB7C84256F9B7E0FFA5700F4445BAD04EC7196DE28A8418751
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9CFC8 Relevance: .7, Instructions: 689COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2ad681d1c5c3fcbe7474527a5efd1e98d5360ddf7960e6356f1081422f2cdad2
                                                                                                                                                                                                                                                                        • Instruction ID: accca14c14d116dba9398040d3eba78ef53cd3d0c6853a0da7d921074096ff11
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2ad681d1c5c3fcbe7474527a5efd1e98d5360ddf7960e6356f1081422f2cdad2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 79222430A1DB858FD358EB6C94551B9F7E1FF96B00F14857DD08EC319ADA28F8828752
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA9860 Relevance: .6, Instructions: 555COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c0529deb1e71f9fb813d00cdaf97e5ddde68334729cbd6ed3a7c4ccd2cac6814
                                                                                                                                                                                                                                                                        • Instruction ID: e3ba05d847cb3c3ab063b3fe7d181ff3ac3cd92da0a0b7dfc2b25a3fefbdd05c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0529deb1e71f9fb813d00cdaf97e5ddde68334729cbd6ed3a7c4ccd2cac6814
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3F1157061DE8A4FEB59AB6C84166B9B7D1FF95710B4042BEE00EC71A6DF34EC028791
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA342D Relevance: .5, Instructions: 518COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: afa229a8be6ba3ca5ee30b1f0bbb7d85e3d7c7f997b7553eae090e47b395a869
                                                                                                                                                                                                                                                                        • Instruction ID: 7f6e7c592632237877bfd8b8f4ed697e11077c5f23d5331a095e78c77e41ff10
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: afa229a8be6ba3ca5ee30b1f0bbb7d85e3d7c7f997b7553eae090e47b395a869
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24F1062070D98A8FDB86EB6CA4646E9BBE0FF5631470406FBD04DC719BCE25E852C790
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9A0A0 Relevance: .5, Instructions: 487COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cdb8a6fbde2ff41d3f6b19898c585a02dc8e8b776e2c054450e8c514f0a40a21
                                                                                                                                                                                                                                                                        • Instruction ID: abeafa40ceffdb98d9b246c1d2d83f5cb7c6c298bfbdac111bd7a760f7f60d89
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cdb8a6fbde2ff41d3f6b19898c585a02dc8e8b776e2c054450e8c514f0a40a21
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9AE12C30B19E464FE794EB3CA4596B9B7D1FF99710B5005BEE04EC3297DE28AC818391
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9A020 Relevance: .5, Instructions: 472COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e3dc26b3dc2e5a672276743e1ca3c3c67704fd1378dd233119ff1682abb0eae7
                                                                                                                                                                                                                                                                        • Instruction ID: 0d9ad076acabbefe4b93a4518eb009bd44deb9ee875251ea31a3c805f352d65c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3dc26b3dc2e5a672276743e1ca3c3c67704fd1378dd233119ff1682abb0eae7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01E1D670A1CB898FE754EB2C94496AAF7E1FFA5710F50457ED08EC3296DE34A841CB42
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB14B5 Relevance: .4, Instructions: 445COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 66cf6ee1239cc3afb10f3b72d9388e8bece09e16bc8010ecd28fb4800b9a8bd5
                                                                                                                                                                                                                                                                        • Instruction ID: bae25ecdee16f3e9da9676a7cca014e80426deddcf1dcbd37c3f4d490da5eeaa
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66cf6ee1239cc3afb10f3b72d9388e8bece09e16bc8010ecd28fb4800b9a8bd5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3DE14C30608A4D8FDF88EF5CC494BA977E1FFA9754F544269E40ED7296CA34E842CB81
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D9E9 Relevance: .4, Instructions: 435COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0e82a08176ec07a27b62a639feeeb8090547358c177fff2f4a958e7ef185a509
                                                                                                                                                                                                                                                                        • Instruction ID: 013a8e70581421073c9cd50b9145e8e44f50cec2a36db1a44d81d46f5f62fc52
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e82a08176ec07a27b62a639feeeb8090547358c177fff2f4a958e7ef185a509
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84C1233160CB498FDB55EB1CE445AA6B7E1FFA6310F54426ED08DC3292DE25E886C782
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA1B64 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 44f8d837cf569fd8157c915a5a664309c4e1c1e51afe5200383950ad2aa1643d
                                                                                                                                                                                                                                                                        • Instruction ID: a07b21d1ed1a1f10ccbcc7e3890fef02dbcbfb7cb7c7f77ebe0e273b705f720b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44f8d837cf569fd8157c915a5a664309c4e1c1e51afe5200383950ad2aa1643d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5D1B730618A898FE794FB6CC459BB5B7E1FFA9700F4445B9E04EC7296CE28BC418752
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9E938 Relevance: .4, Instructions: 390COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e55586f1f98af55b5ed79c35604c15d1bd075f035fd1242f0716f92b76a551f5
                                                                                                                                                                                                                                                                        • Instruction ID: 2d0bf66e14944c8d9b3961f34ab1e1a0c4a2e29ec74cdbd707300a8a0ab3b831
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e55586f1f98af55b5ed79c35604c15d1bd075f035fd1242f0716f92b76a551f5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22C1353061DA868FD344AB3C94197A5F7E1FFA6750F4446BED04AC7196CE38A892C782
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9AB08 Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a6411ad475c317b80d6eafe717d5c02be0d5cbffd504223e0156ae8ed776f6f1
                                                                                                                                                                                                                                                                        • Instruction ID: 4f465179cd633e29ae3b6754d9dfada46efa4737f8ca3ba6ade951505fec6908
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a6411ad475c317b80d6eafe717d5c02be0d5cbffd504223e0156ae8ed776f6f1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27B12A20A0CE8E5FEB96EB6C94587B877D1FF66B10F8441BAD40DC7297EE14AC458341
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA6438 Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 866fe6cc5152923c0f78b6df4643604cc605c610a5faea3a8285e0828e9ccb7b
                                                                                                                                                                                                                                                                        • Instruction ID: 80ab5fde1bf01dcf7b62e498cd7d48f412aaf0bacae9a55cce7c481e39244c47
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 866fe6cc5152923c0f78b6df4643604cc605c610a5faea3a8285e0828e9ccb7b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5BC12770A09E8A8FEB59AB6C90566B9F7D2FFD5710B4442BDE00EC7196CE34EC018791
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9B900 Relevance: .4, Instructions: 372COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2bb776f1d841f1538630133727441acdff550df94ec37da4ac89f7b4f1a10ff9
                                                                                                                                                                                                                                                                        • Instruction ID: a57352a5d7205924c5400c6ab721dbd228f0ff8c3094f73a87c46dbe2267698b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2bb776f1d841f1538630133727441acdff550df94ec37da4ac89f7b4f1a10ff9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88B1463060CA894FDB96EB6CA4546F1B7E0FF56320B4442BAD08EC7597DE28A886C750
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D325 Relevance: .4, Instructions: 366COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 384a93a36f9fbe18983c182d0f713bbf3b2997d8d6c6d32d22fdda845aabab8c
                                                                                                                                                                                                                                                                        • Instruction ID: eea896160c4d56d85b5d6448d66796573022f5a5064c1ecb9a8d10522d7fdd7d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 384a93a36f9fbe18983c182d0f713bbf3b2997d8d6c6d32d22fdda845aabab8c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CCA16831A585D38FE219266C64492F4F7D1EFA2B18FA44179D5CFC60CBEE29B4C352A0
                                                                                                                                                                                                                                                                        Function 00007FF7BFC986DA Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9223973a0b2768f788cbbdc7611c0551485501104795cdb1a30156df3aa45fc6
                                                                                                                                                                                                                                                                        • Instruction ID: 1ac362f15164d612c139f99064f3414f6f547c725c1aa037b809d69bf289a9a0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9223973a0b2768f788cbbdc7611c0551485501104795cdb1a30156df3aa45fc6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2AC12930D096898FD795EB68D8097E8BBF0EF56710F8442BAD04DD71D6DE381886CB61
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA3C08 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5de32e92aa9bc1586b44cdc1c30fb22a696d3c0c9d54d4ad3e0e83f06a45d43c
                                                                                                                                                                                                                                                                        • Instruction ID: 5e54d97e038f282ff3e269f8952a6b47bbb2e2f4da2c1e143a554a67b39b4d9d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5de32e92aa9bc1586b44cdc1c30fb22a696d3c0c9d54d4ad3e0e83f06a45d43c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14A13630219E458FDB55EB6CD444AB1B3E1FF663107544ABDD14EC32AACA25FC82CB90
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9EA40 Relevance: .3, Instructions: 319COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 51205a9055adfc6cdf89995a7ad56ec586fb2384ad06c6215bb85b1935eaa54f
                                                                                                                                                                                                                                                                        • Instruction ID: 3bcde2112a266e68e1d9d67c607cef15a17c090a85bb2993b2728e8fc73784fa
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51205a9055adfc6cdf89995a7ad56ec586fb2384ad06c6215bb85b1935eaa54f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BD910A3061C9498FDB48EB2CA45AAB8B7D1FFA5740B40427DF54EC3297DE20AC52C786
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9CCC0 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b67e66263613d9252a02fac3cba96459cac0d6f14760d3c5b76f190978b70ce6
                                                                                                                                                                                                                                                                        • Instruction ID: 14c41ed632bd1b0257c4d15f90caf004d9cda441308c393ebcf686611ecc4bb4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b67e66263613d9252a02fac3cba96459cac0d6f14760d3c5b76f190978b70ce6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0B16C70A18E498FE785EBA8E4557EDF7A1FF59310F50826AE00DD3286DE346851CB81
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9E970 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 057505866db78877058d64224ae4b7a7e656924bb37e7a827f9b93802435915e
                                                                                                                                                                                                                                                                        • Instruction ID: 7b41fab838203dfba226b770c665a41bb5ff6e7b5455ebe19856915fc9a32fa6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 057505866db78877058d64224ae4b7a7e656924bb37e7a827f9b93802435915e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E812A3170DC590FE6A4F76CA8597F9B3D1EFA5760B4405BAD40EC729ADE18AC828381
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA2EFA Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 01855f0d44430e936c1dc93be5cf62885267a65790f3c33eb0e08a0b46da08e5
                                                                                                                                                                                                                                                                        • Instruction ID: 6d37f3707d80de4969e1b5366b7e0975943b32e5e91e2d8f19ae3f99463d6a51
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01855f0d44430e936c1dc93be5cf62885267a65790f3c33eb0e08a0b46da08e5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2C91C631B088598FEB95FB6CE4586F877E1FF68710B444276D08ED7297CE28E8418754
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA48A4 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6daaef8f918be0091075901a9e52f95e442d96d4de1124a5ff1a39914458379a
                                                                                                                                                                                                                                                                        • Instruction ID: a0ddb34f184aa11a400cdd2d39ec6a647ac9e27307e6689cd58322f96d2f98e7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6daaef8f918be0091075901a9e52f95e442d96d4de1124a5ff1a39914458379a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E913730619B8A4FD758EB6CA4495B5B3E0FF66710B544B7ED08AC319ADE34F8828781
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA5388 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c90086e3137e4740b5d444c56c623e7f46fb2e9b6f3bdf781f064d1d891aef71
                                                                                                                                                                                                                                                                        • Instruction ID: 9cde923d4e0e2dd5d4547879b8d56401e0f7e3a08c625d239e266617d9b004a9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c90086e3137e4740b5d444c56c623e7f46fb2e9b6f3bdf781f064d1d891aef71
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52A1A03091DB898FE799EB6C8445AB6BBE0FFA5340F40457DD44EC3296DE74E8818B42
                                                                                                                                                                                                                                                                        Function 00007FF7BFCCE790 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f9e2a6ec0f93ebc0804cd2edef440815ab80919d7cca77bc4cc4f5dd8a48f1a9
                                                                                                                                                                                                                                                                        • Instruction ID: bda91e3a7c9c5115585b814dac820694fd751ee7c1c761fb8f972743c38bee5f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9e2a6ec0f93ebc0804cd2edef440815ab80919d7cca77bc4cc4f5dd8a48f1a9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6812430A0CA498FDB54EF5CE8846B5B7E1FF6A310B54027ED14EC3296DA35B8968790
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA3C30 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9fc4d043c73292560b03be89809e51c49d32e6c3d5c93dd0d3e35dfd768e0fb7
                                                                                                                                                                                                                                                                        • Instruction ID: 0bb59ccdef3b9b099a4af7d70ad47aa958533adbe9e2f389a65bf1854bff69b2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fc4d043c73292560b03be89809e51c49d32e6c3d5c93dd0d3e35dfd768e0fb7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1291693061DB894FD355EF6CA4495B6B7E0EF62710F500A7ED48AC32AADE34F8828751
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA37C5 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c76898fb3b6f89c68f509db23ed2a32cd2017707ab111ba5108b613fa64efade
                                                                                                                                                                                                                                                                        • Instruction ID: fedcaefeb3e9042f7caf974b21a489f728878cbb1aaa7674dc2ba2d32f2bb878
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c76898fb3b6f89c68f509db23ed2a32cd2017707ab111ba5108b613fa64efade
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A81243070D9894FD7A9E76CD4596B8B7D0EF5A71074000FAE08EC72E6DD1AEC828391
                                                                                                                                                                                                                                                                        Function 00007FF7BFC973E1 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3301713f36a14cdb3a94476b4407e5a727c958d617c6704144586f60a311eef0
                                                                                                                                                                                                                                                                        • Instruction ID: 91a609871375683db44c6c5b1fbf3105319d5ebfe14e6560314af771f091c839
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3301713f36a14cdb3a94476b4407e5a727c958d617c6704144586f60a311eef0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4B12770D09A5D8FDB95EBA8C459BEDB7F1FF59300F5081A9C00DE7295DA34A881CB50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC93FFD Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 84987c668ec8d0beca474659f4e1de2e1cd1f48b9c67e38211df405775e1e4cd
                                                                                                                                                                                                                                                                        • Instruction ID: ab8c889e7e44df83e2b8b7615c0c0635e839f85d7a1936b088b9aff11114d81e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 84987c668ec8d0beca474659f4e1de2e1cd1f48b9c67e38211df405775e1e4cd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20911A70C08A8D4FE755EBA8A8492FCFBE0FF66710F80827AD14D971D5EA395485CB50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC97DB9 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 73e95ae513165c14cfe48725a2c0d1a9f8df21e8b9e8ed27a259c76b918e25ed
                                                                                                                                                                                                                                                                        • Instruction ID: dc8fb2d5453d9dd796ca4fab3cbf762530f6b67ceb44a3aac2239e44ac06d46f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73e95ae513165c14cfe48725a2c0d1a9f8df21e8b9e8ed27a259c76b918e25ed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2491DF71D09A8D8FEB89EB6CD8496EDF7A1FF55700F804679D009D3286DE38A841CB50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D469 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 30a61e591ad259ebcd750c591cc65fd845539cd37f1eea8de9b65313650a7df4
                                                                                                                                                                                                                                                                        • Instruction ID: c0a17dfbf4eac91947a245268d57cf7ab65e166c5ec85b26da418247b3caafb5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30a61e591ad259ebcd750c591cc65fd845539cd37f1eea8de9b65313650a7df4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35914E70A18A498FE745EBA8D8557ECF7A1FF59310F5442AAE40DD3282DE346852CB81
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA7146 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5f086be7e80fa6a6d43ecfa6c9292bf3536754d279453ca6c52dd90e819fd89e
                                                                                                                                                                                                                                                                        • Instruction ID: 09094963d1977e20ef6473951cd2c4fd7f48ae6049ecb788f9bf2c8612ed31ce
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f086be7e80fa6a6d43ecfa6c9292bf3536754d279453ca6c52dd90e819fd89e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A81C470A0DB898FE758EF2C84196A6F7E1FFA9701F50457ED48DC3296DE34A8418B42
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94610 Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9cc6061a63020f440b43c1c48446726382c279579b2486132115b4e1dd9f03e9
                                                                                                                                                                                                                                                                        • Instruction ID: 805564de48c8c6564ce1d787b98b7117998f3a14e63d1d8c0e059dc93f6c1d07
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cc6061a63020f440b43c1c48446726382c279579b2486132115b4e1dd9f03e9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7918F70908A8E8FDB85EF68C855BEABBF1FF55300F5042B9D409D7296DB34A856CB40
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA4BC9 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 01cea38e6911bc6191f241d7b28b2583c16abe51633d14c33ca19fc4528bb02a
                                                                                                                                                                                                                                                                        • Instruction ID: beb44773fa841b6fa7f5ac5f3e4c1b59c2d47500274026452e81a45c3a335101
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01cea38e6911bc6191f241d7b28b2583c16abe51633d14c33ca19fc4528bb02a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA71C130A0994D8FDB94EB6C94597F9B7E1FFA9711F40017AD10ED3296DF28A841C7A0
                                                                                                                                                                                                                                                                        Function 00007FF7BFEAA057 Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 774a30b09897fde6bb3576bfc07f1b7b21d9b7bd6796e156bb13fece3b38816c
                                                                                                                                                                                                                                                                        • Instruction ID: 3ec5931c38edfd615b237ae41206f3e16a54ea8e015bf4f59778b4c0566c10cb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 774a30b09897fde6bb3576bfc07f1b7b21d9b7bd6796e156bb13fece3b38816c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A716970909E4ACFEB45EB6C94596FAF7E1EF91720B0442BDD04EC7196CE34AC418785
                                                                                                                                                                                                                                                                        Function 00007FF7BFEAE800 Relevance: .2, Instructions: 242COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 47cf75ebf8a335024af123db14e0b8b5e82b333a5f9f31f0af4d1f5745b86db3
                                                                                                                                                                                                                                                                        • Instruction ID: 9c2ca389972e46cf6f588cf7873838a8a2bcaab709a193d2acf8e2bce84f0dba
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47cf75ebf8a335024af123db14e0b8b5e82b333a5f9f31f0af4d1f5745b86db3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D861043051CE4A5FE759EB6CC486AF6B7E0FFA5320B00467EE04EC3596DA25B842C791
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9C6E0 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 477085852db6fa1ffd8af5ae736912623dc6a58bd9c9f7771d6e7ae720bcb2c2
                                                                                                                                                                                                                                                                        • Instruction ID: 3b5ef2dbed804ff87ec780ebfdb2f46c682df85a526c2cd6d56f33f1e15cdee6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 477085852db6fa1ffd8af5ae736912623dc6a58bd9c9f7771d6e7ae720bcb2c2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF716B30A19E8A4FD769E76C949D1B5B3E0FF6AB00B90087ED14FC3699DE24B881C751
                                                                                                                                                                                                                                                                        Function 00007FF7BFC97135 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8882e9a56dce53f4ce07ca8c9172c2a91c3b5496f12b516aa547091c5ad97dc8
                                                                                                                                                                                                                                                                        • Instruction ID: b74217e4b5db7f76467b4861ad0fc8f7bf9f601631796debe2f7ea4e019f3b1f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8882e9a56dce53f4ce07ca8c9172c2a91c3b5496f12b516aa547091c5ad97dc8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73514722B098698BE712B7ACB4496F8B7D0EFA5B71F444377E10DC618BCE14648683A5
                                                                                                                                                                                                                                                                        Function 00007FF7BFEAEB18 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 558dcb80a9e9e03d404f615d6d00f86f8032f19fd4ff0107205aa52c40a1338d
                                                                                                                                                                                                                                                                        • Instruction ID: 5123474ab08b2c6168361e9f60344764bb70bc3efe53b654b10d2863a593c7b5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 558dcb80a9e9e03d404f615d6d00f86f8032f19fd4ff0107205aa52c40a1338d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3712A70D08A5C8FDB98DF58C845BE9BBB1FBA9310F1082AAD04DE3251DB74A985CF41
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D76E Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9e9882e69666844c9aebc565c790469a06eed4b8620cc9fd1dc281fb6c606e50
                                                                                                                                                                                                                                                                        • Instruction ID: 12af0436dac5d8144deac1e7f9ffbce964249635f07d3a0e4b82c2219c16b935
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e9882e69666844c9aebc565c790469a06eed4b8620cc9fd1dc281fb6c606e50
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67516E71A0CA894FD345A76CA8592F9B7E0FF46720B4042BED04AD3197DE382C8687E1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC98D32 Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6f74a6673fb1441924345c89b38e4e889e359248e913b13bcf9b542791baea86
                                                                                                                                                                                                                                                                        • Instruction ID: 1fd276ff7bb88f6d9bc6c2f347907af876101a7b1560fe8978de01497aa01e78
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f74a6673fb1441924345c89b38e4e889e359248e913b13bcf9b542791baea86
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9571D17090968D9FDB85EBA8C815BEDBBF1FF56310F5041BED009D7292DA395882CB60
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB2E8D Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c3a6f3dc26ea28df26b54b7464cc79ddbae57ef1592010bb18bf85db5a139620
                                                                                                                                                                                                                                                                        • Instruction ID: 95287b3c827db6a3c0510ee9e5520be9d298f88f87d44c7fae669d01e86d5cb9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3a6f3dc26ea28df26b54b7464cc79ddbae57ef1592010bb18bf85db5a139620
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8671A97060DA8A8FCF86DF6CC495AA97BF1FF6A310B4541A9E049C7193DA34EC41CB91
                                                                                                                                                                                                                                                                        Function 00007FF7BFC98A55 Relevance: .2, Instructions: 225COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 415b097696b48c0aeb5d46d04b2d885599351ad8c4e73dd83acf20deda708284
                                                                                                                                                                                                                                                                        • Instruction ID: ef5d578674222efd865c7f5ea46465d6e4061b7407f606e8e53e81247fde12e1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 415b097696b48c0aeb5d46d04b2d885599351ad8c4e73dd83acf20deda708284
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4271D570D0968D8FEB56EBA8A8196EDBBF0FF16710F84417AD009E71D2DA3C5881C761
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94667 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 17ccb9a657a8599e0cd21662c26a70d501f8e8480e38c19e321b5b17cb5c7029
                                                                                                                                                                                                                                                                        • Instruction ID: 77005da94bcf30260855c27336dea524e4914c4a47011c114f11cc4d7f10869d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17ccb9a657a8599e0cd21662c26a70d501f8e8480e38c19e321b5b17cb5c7029
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15817170908A8E8FDB85EF68C845AEDBBF1FF59310F5042B9D409D7296DB34A846CB40
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA4005 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 90e8b3e1659698446e56e346ff7d8bbaabfbb5c7af10ad55bd90b9a3fbcae4dc
                                                                                                                                                                                                                                                                        • Instruction ID: 203773f4e7620574f40d177120a7a018d6dc9b2edb0d76b9a43756fe16129751
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 90e8b3e1659698446e56e346ff7d8bbaabfbb5c7af10ad55bd90b9a3fbcae4dc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55512321B0D94B4FE749B6ACB8552F9B7D0EF52324B40467BE04EC219BDE15BC928394
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA3C40 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f5aa501380a48acf803908f1a209f67c79155b97b753a8d30b48a67ff148e31d
                                                                                                                                                                                                                                                                        • Instruction ID: 0a68a1d3755de56cf1c52db7309cfc8c5f31808b8c142ba16140a74a3b847a87
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5aa501380a48acf803908f1a209f67c79155b97b753a8d30b48a67ff148e31d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44512530219E0A4FD759AB5CE848AB1B3E0FF6A7107544A7DD54EC325ADA35FC938B80
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94C41 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 10a1f285f1aa7e092c482288ff0c97fb652a0df5eb78931d17c891ff23ff5168
                                                                                                                                                                                                                                                                        • Instruction ID: 02e814fcf5fc9594f8d374c01f07f79befd705acbb8a2d23b4721904c3d53514
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10a1f285f1aa7e092c482288ff0c97fb652a0df5eb78931d17c891ff23ff5168
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA61047190AA898FD796EB7CD8196E8BBE0FF56710F4082FAC049DB1A1DE385881C751
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9E648 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 78c7f8280bb37c7a2992e96ad1df6c7405f91a26a2a4116e9fb9b1385c00f5b9
                                                                                                                                                                                                                                                                        • Instruction ID: d427500898f54d287be5e0676e60d9ae8057b028197d6711b2e29b2b015ecb32
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 78c7f8280bb37c7a2992e96ad1df6c7405f91a26a2a4116e9fb9b1385c00f5b9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63513630219E4A4FD758EB5CE888AB1B3E0FFA63107544A79D54EC325ADE35F8938781
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9EA1D Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6a3779315b4145260e694aee7d7ceadbebd8613a4774625869542a67f896a307
                                                                                                                                                                                                                                                                        • Instruction ID: 1fe686d31c215da13646ad09908737d33ed85243b12819ad9c599262199540cf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a3779315b4145260e694aee7d7ceadbebd8613a4774625869542a67f896a307
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C351A920B0998A4FE3A8E77C645D2B6BBD1FF9A65075042BAE04DC3297DE149C478391
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA3C2C Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b4f87ab99a3ecba9d42290da5ef5b22e74abd427587e7926f6d69855e45f6104
                                                                                                                                                                                                                                                                        • Instruction ID: 2e99af0569f77a569a477979008de6cde86afd87f50d30f4e2c842f4f0fe4a36
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4f87ab99a3ecba9d42290da5ef5b22e74abd427587e7926f6d69855e45f6104
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73614B70E0E6C68FD3A8EA6C84456F5BBD1EFD6B00B9804F9D14ECB196C915A8154362
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9644B Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4a08e82b501f425d4fe00b3f13a43ee417d0d14999909f9f6177f62ab9a66544
                                                                                                                                                                                                                                                                        • Instruction ID: fc0b6a77b5e72a9b699c5a908ad2a0db20cc452a39eb3292e4be1f011f09fe37
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a08e82b501f425d4fe00b3f13a43ee417d0d14999909f9f6177f62ab9a66544
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B610C30D0865A8FDB99EBA8D4597EDB7B1FF16700F9081BDC00EE7286DA385881DB10
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9382E Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 95a3ba59cf96f18797be7e651200eb2467029ad77ade96bbd84cc0abb3049370
                                                                                                                                                                                                                                                                        • Instruction ID: c67f48ab1c7234c2eb28dcc1e0ff890c88ad845cacc8567832c40dd741210320
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95a3ba59cf96f18797be7e651200eb2467029ad77ade96bbd84cc0abb3049370
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F651E270D08A899FDB82EBB8D8156EDBBF4FF56320F4441BAD049D7191DB385481CBA1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC95B6A Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c3d3b8002f0477683038c1b7df50c90525b380a53ea79140f1e3eae829dea7ef
                                                                                                                                                                                                                                                                        • Instruction ID: d99f192fdd69d3c86824357c73d82190c8cfa5ca3c9ea1cabe2c63d519f2ca25
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3d3b8002f0477683038c1b7df50c90525b380a53ea79140f1e3eae829dea7ef
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7251C23084E7898FD396DB788C297D9BFF0EF46310F1441EAD049D71A2CA794886CB61
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA9B1F Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4b93a81213ac8954db1058322bda88dc36318c6fe71c2fd6fb652c49d9456db2
                                                                                                                                                                                                                                                                        • Instruction ID: 474e94e219acbb3667ca546c3b0d36f54e16de2e7842af49eb28bee2a8b2d42c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4b93a81213ac8954db1058322bda88dc36318c6fe71c2fd6fb652c49d9456db2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64414A30B0DF490FE754AA6D54062F6B7E1EFE5720B48417ED58AC3286DE25F84283C6
                                                                                                                                                                                                                                                                        Function 00007FF7BFC95DB0 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 707f4770f3de7bd3c83a880b759bd39cd984ddf825fb4f1907554406abdf80ba
                                                                                                                                                                                                                                                                        • Instruction ID: 406afecb6db425dd08e740e3f206f1cc361076a61225b65a2932de694f5d7dee
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 707f4770f3de7bd3c83a880b759bd39cd984ddf825fb4f1907554406abdf80ba
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D951AE30D08A498FDB89EF6CD8556EDBBF0FF15310F5041BAD409D7246DA38A882CB51
                                                                                                                                                                                                                                                                        Function 00007FF7BFEAA358 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9a3846f8d10277a5dc41a52df167c2653725557750e43eccbcf514eb5af189fc
                                                                                                                                                                                                                                                                        • Instruction ID: 418852970f3eb85f9a7522a61e982f14e8569862d128392dc74c292f9acffcba
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a3846f8d10277a5dc41a52df167c2653725557750e43eccbcf514eb5af189fc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C051BDA0619E4B8FEB59AB2C905A6B9B3D2FF95750784427DE00FC7297DE34EC018781
                                                                                                                                                                                                                                                                        Function 00007FF7BFC905A0 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3e040b42a3c4661abf0496d5f4cde4abe914b0d66855e56d90fa4d8062259801
                                                                                                                                                                                                                                                                        • Instruction ID: aa4074efa6e300c4ad3c371a319818b3e3b18e674a3ffabc5c1d259c1d4e395b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e040b42a3c4661abf0496d5f4cde4abe914b0d66855e56d90fa4d8062259801
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F517E31D18A4D8FDB59EBA8E4556FDBBB5FF95700F90413AD00AA3285DB386881CB50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC98AA5 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9886621f7ec3ab289a71d193dd9184be47bdf6291c1661418208ae3cbe9cf875
                                                                                                                                                                                                                                                                        • Instruction ID: 517babd5be18a6d23c56df144aec3ebf17dba022943416d6af9ffac147a72a19
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9886621f7ec3ab289a71d193dd9184be47bdf6291c1661418208ae3cbe9cf875
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F51E770D09A898FDB56EBA8D81A6E9BBF0FF16310F4441BED049D75D2DA3C1482C761
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA5F14 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f1b793da370632aaeb97cfc3754d3f7ec7e4b810b546148cc353e4c14027c183
                                                                                                                                                                                                                                                                        • Instruction ID: 80e862d4421e25e6203ef3ce2cd4c0396bae853a781dd583d25e357925ad8bdf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1b793da370632aaeb97cfc3754d3f7ec7e4b810b546148cc353e4c14027c183
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0141F430A0DF494FDB58EA2C841A6B5B7E1FFA9710B54527AD449C3255EE24FC4287C2
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA35A0 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3b986078b3bad782a238a202df265037859d857bc2ebe17acddf8ae7d3dc82be
                                                                                                                                                                                                                                                                        • Instruction ID: 9dfe9374f333bd43717ba9845006f6bb6439f91c487b98144a25331353722c91
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b986078b3bad782a238a202df265037859d857bc2ebe17acddf8ae7d3dc82be
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA51B67060DA8D8FDB85DF6CD8543A9BBB1FF59315B0046ABD009C7297CE34A852CB90
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94605 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0e14ece9a2776302d57b8be0b8cd90c0aa79cfe4477cb459a3cce1e9b21777cd
                                                                                                                                                                                                                                                                        • Instruction ID: ecab49c2fa1b71f31608ef8e28640928d8242e10b9a30a4f862def9f24348c1b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e14ece9a2776302d57b8be0b8cd90c0aa79cfe4477cb459a3cce1e9b21777cd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6518534109F468FDB98EB29D064AA6B3E1FF65315B6448BCD04ECB5D1CA39EC82CB50
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA2CDD Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 25d362f74568b7e421a26b64c963470cfd4770250db5aed4640277346ea1d9a8
                                                                                                                                                                                                                                                                        • Instruction ID: 7141f956b42b5028a88357fb61ecb945898567bb28256549c4d6751292ee19ab
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 25d362f74568b7e421a26b64c963470cfd4770250db5aed4640277346ea1d9a8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C41E03072CA484FEB58AB6CE8596B473C1EF9A711B0101BEE94EC3297DD10FC829785
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB2F1A Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ac847cac8cd2dbe8c75fb4f88aa8cb2aa6288005ef9fd626ca08ea95b462223f
                                                                                                                                                                                                                                                                        • Instruction ID: 3f8d9a5fc312a3b46498122d995b750673a5a5371b178919f950321099de5d0b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac847cac8cd2dbe8c75fb4f88aa8cb2aa6288005ef9fd626ca08ea95b462223f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B51F470A18A4E8FCF88EF5CC495AAA7BE1FFA8345F544169F44DD3256CA30E851CB80
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA4C00 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6e0349810daeef8b07afef087939a0442ac2d0d65a7f8a25c0e59e985cb65712
                                                                                                                                                                                                                                                                        • Instruction ID: 8c4e35593475f28e691aad702f1ab7e2cd7dea188cf1de02ebbbe8fdba9cf084
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e0349810daeef8b07afef087939a0442ac2d0d65a7f8a25c0e59e985cb65712
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75414C30B0DC9A4FE6A9E76C90587F5B3D1EFA9740B4845BAD04EC329EDE14BC428391
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA4131 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5d144e2d952a448fde1a05af618f323c3a69596159b8f2ded27dfa377c26f520
                                                                                                                                                                                                                                                                        • Instruction ID: ef46796e5924d8e60319089f6f2af3daaa5f7f551b2789c0989a28a776f631f2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d144e2d952a448fde1a05af618f323c3a69596159b8f2ded27dfa377c26f520
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC517E70D089598FE7A9EB6CE4553ECB7B1FF55710F9001BAD00DE329ADE3568828B50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC904FA Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9219da494f9f47260702530a581d4db1102e2184979a75ca5539c672cfac8f97
                                                                                                                                                                                                                                                                        • Instruction ID: a8bd638cd5da099ef30e77d565ec2de45c52cb310b77b0aa15c5a540af30b179
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9219da494f9f47260702530a581d4db1102e2184979a75ca5539c672cfac8f97
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31519E70D08A4E8FDB94EBA8D4597EDBBB1FF66310F50017AD10DE3295CA386885CB90
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB5489 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4a166d4a8bd8b27988b97083f56457387cd82fc3fd9abdbd0f4129f4f03a2114
                                                                                                                                                                                                                                                                        • Instruction ID: fc9b088e72c8046257323902cce630929342a9f618ba7d34f8253deab20a0c71
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a166d4a8bd8b27988b97083f56457387cd82fc3fd9abdbd0f4129f4f03a2114
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC411871B0CA494FEB98AA1CA4462F5B3D2EBD6221F40427FE64EC3156EE21AC534785
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA6FB1 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 06ff7c22654a7691bd2de7888b41b6b59571121bba121dbb48cffb3707ffe853
                                                                                                                                                                                                                                                                        • Instruction ID: 921814469d72b82cf4e93864bc66237bf6ab9da5761c7dc8faf527866b84bc9d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 06ff7c22654a7691bd2de7888b41b6b59571121bba121dbb48cffb3707ffe853
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E417E7160EA495FE719EB7C98069F9B7D0EFA2720B4002BED04BC7182DD25B80287D1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC935BA Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 40dcfea5558834ee3457abd2609171c42cee38d4ab5c87730805fa6e55ba9df8
                                                                                                                                                                                                                                                                        • Instruction ID: 51f2d9e718bb06bf44880659b86488b060d79c4fa2bcdc629547be01c30ce9ca
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 40dcfea5558834ee3457abd2609171c42cee38d4ab5c87730805fa6e55ba9df8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED41D970919A895FF395AB7CD82A6A9BBE4FF52720F4041FDC009D71E1EE2918828721
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9A010 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 057f590b427eae97d640c1bb99e3693738cae721393f758f1fa119efeb07290b
                                                                                                                                                                                                                                                                        • Instruction ID: 33402263989a07ba77d48f8dcdd29857c45b60b6f27f87b701edb05212a1340d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 057f590b427eae97d640c1bb99e3693738cae721393f758f1fa119efeb07290b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E841B330619A858FDB95EB2CC454FB1B7D1EF65300B448AB9D14EC72AACE24FC85CB60
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9A01D Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 21c3ecf1c65379be4fbb2ffb0a7c9fb2b6029b3948c12df1ae57359e83ac1951
                                                                                                                                                                                                                                                                        • Instruction ID: f5fc3919f8bca05b1b736178c39e19fc6320b7812d1b9ebd6155f53139c7bb3c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21c3ecf1c65379be4fbb2ffb0a7c9fb2b6029b3948c12df1ae57359e83ac1951
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0541493560CB884FD340B76CEC6A6E6F7D4FFA5721F04467BD04AC3186EA24A84987C2
                                                                                                                                                                                                                                                                        Function 00007FF7BFC984C1 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a271c7e13f6e823a42154320281318bbb1c4925297deb2a02b75a85c4c4ef7db
                                                                                                                                                                                                                                                                        • Instruction ID: 140ca9045fe5d6b783d0de5485f567830aebc97e3e65cef9a9db2c2c9ee184bb
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a271c7e13f6e823a42154320281318bbb1c4925297deb2a02b75a85c4c4ef7db
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F641D430D08A4D8FEB55EBACD8556EDBBF1FF16310F94017AD109D7182DA385886CB51
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9F198 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7e006eda5d58936a9270f9f0e0e4f86ad13bbaf321e27ee35ea110a2a8351f78
                                                                                                                                                                                                                                                                        • Instruction ID: 20a11177f6d85bbc9ba8a6b3b45c8a93fa1234f19b2e6bb5f1b60663adb70d42
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e006eda5d58936a9270f9f0e0e4f86ad13bbaf321e27ee35ea110a2a8351f78
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8419230A0895D8FDB98EF5C94596FA77E1FFA8710F50057AE40ED3689CE34A8428781
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA2CD0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9e75a06bc9f3fc8526159123f64a58e945c19cc051e0670e587b048a2ed1c071
                                                                                                                                                                                                                                                                        • Instruction ID: b0fb74bded637669b5b7d38854f20b7944d0c5001a090c7ec2d58da25141eec1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e75a06bc9f3fc8526159123f64a58e945c19cc051e0670e587b048a2ed1c071
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81310B61F18D5A4FE794A72CA40D3F973D0EBA9B15F84097BD40DC7298DE5898834392
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA5148 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fd9f84c7b0250605a7174c55c79d0f4f3b868e22785d91a66d81ddd64cde41ee
                                                                                                                                                                                                                                                                        • Instruction ID: fbdac45521c6c906f58c6a1601eb8cb8abf7729adc2bd7711af0b7e5764ff6bd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd9f84c7b0250605a7174c55c79d0f4f3b868e22785d91a66d81ddd64cde41ee
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7941B330619E858FDB95EB2CC454FA1B7E1FF65300B548AA9D04EC72AACA24FC45CB50
                                                                                                                                                                                                                                                                        Function 00007FF7BFEAC859 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: dbccaf2b747520886773ac415d93852d50d551d28b48873e0d011c173a3c1c79
                                                                                                                                                                                                                                                                        • Instruction ID: ee0306cdc8f4b32f186b01bed4e9b1df7349bebd93a3a6e679dc466d57d08022
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dbccaf2b747520886773ac415d93852d50d551d28b48873e0d011c173a3c1c79
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D641273040EA8A5FD745EBBC8855AB2BBE0FF96310F4404F9C049CB1A7DA29E845C7A1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC95771 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c7d5e1a7905a6c72c6edc49cebb75177e756de0123a8335cd7106d7d3bb11dfe
                                                                                                                                                                                                                                                                        • Instruction ID: 0e14eb5f2d75524044264b4dc5c283831fa07913c1fc629ad1c6439fbd1d051c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7d5e1a7905a6c72c6edc49cebb75177e756de0123a8335cd7106d7d3bb11dfe
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C041BB30D08A4D8FDB85EBA8D4196EDBBF1FF5A310F5015BAD009E7291DA799881CB60
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9FD9E Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: af9f634254b0f5aa6fd92f330691021f6ec144ce8eab021ca6ac3f2ed31e5cc0
                                                                                                                                                                                                                                                                        • Instruction ID: b993cc5e122e6a322e9d0b684c84bc5052057aa795ec82bd72b7d42236951337
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af9f634254b0f5aa6fd92f330691021f6ec144ce8eab021ca6ac3f2ed31e5cc0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B415BB0E4499D8FE799EB5CD8997E8B3A1FF58710F5043EAD00DD3286CE306A818B41
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA6E45 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: eca0181e1928b4ad5b6a90b25ca846350514a1f03c5910892c93488490a81ed1
                                                                                                                                                                                                                                                                        • Instruction ID: f7ca199b1383973eb0c6212db63292a544b7d156f84ea022fe25cf8ef9217042
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eca0181e1928b4ad5b6a90b25ca846350514a1f03c5910892c93488490a81ed1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7041F83150CB854FD745EB38C8196A5FBE0EFA6310F4446BED08AC71A6DE24A846C742
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB1B65 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cc4af42d2e45a37d90f4df024d8df2d93f65e38254b2e8ca57b0590cac575ecc
                                                                                                                                                                                                                                                                        • Instruction ID: 136217905c5a42aae6653639d0a2f94f1708300263fdefe512193f571a641ee6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc4af42d2e45a37d90f4df024d8df2d93f65e38254b2e8ca57b0590cac575ecc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F31072060CB980FD758E64CA8497BAB7D1EF96B20F5402AFF449C3297DE18AC4187D3
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9B94D Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1010e820805be2f2c88581982ae8f2ea643b2fbff17cf76283e1b089ea5a1eb4
                                                                                                                                                                                                                                                                        • Instruction ID: a7bd2bb6dfdf70befedf000429d9096ad25095ae75646c94c9c2b6ca9ba2236e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1010e820805be2f2c88581982ae8f2ea643b2fbff17cf76283e1b089ea5a1eb4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C318C3060CC858AE756F3ACA0956FA7BD1DFA5364B4802BAD0CEC719BDE147481C391
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB0A76 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 76fc3ff699f7c0312050e13aa29f090ef4b77011821500765081eb64f63908bc
                                                                                                                                                                                                                                                                        • Instruction ID: ebf4bb69af90d1e3a10570d01cc00cf62cf6911f7df8f56fab7cdf8759cbd9b1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 76fc3ff699f7c0312050e13aa29f090ef4b77011821500765081eb64f63908bc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76314030A1894A8FDB99EF5C8491AF9B3E2FFA4750B504179D10EC725ADE34F852CB81
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9BF80 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4ef5d5e692b250c3700d64ae912be78bdf8963977eeead9d6602215af51d5c0a
                                                                                                                                                                                                                                                                        • Instruction ID: ae8edc28eb9ae86482a40c6dae084b31bf105ddb6a45831219117153681be5f9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ef5d5e692b250c3700d64ae912be78bdf8963977eeead9d6602215af51d5c0a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B31F621A0DACA0FD397E77C98286B5BBF1EF9725074882FBC04DC7197DE1898468752
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA3E9F Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 183d2fc9f50b4ecfe085f70f44681008c21ffd639da3d82c44ba4ab0d8f7251c
                                                                                                                                                                                                                                                                        • Instruction ID: 6b13a4a40b32214a0ec36cb6a77b88beda6a54c4106839e1e4c2ce88f672f1b4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 183d2fc9f50b4ecfe085f70f44681008c21ffd639da3d82c44ba4ab0d8f7251c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA21D432B1DD284BE664BA5CB8591F5B3D0EFA9775B0406BBE44CC329ACD2568428286
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA84C0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 650fd543a27c0a1f6fc31fa33cda805607e9d954c333b947d3de013a47fdb99a
                                                                                                                                                                                                                                                                        • Instruction ID: ac87b8c11f8da8b842280353d5df7813550cc84dfb071d7f1408672a2891cf77
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 650fd543a27c0a1f6fc31fa33cda805607e9d954c333b947d3de013a47fdb99a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5441C53050EA869FD345EB6C84256A6BBE2FFD5310B5481BDC049C7596CA38EC82C791
                                                                                                                                                                                                                                                                        Function 00007FF7BFEADBBC Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5aeb7e63ebcf25c42768ba557ca409d7bb8e7a71427c8e716c0416d4a6edc8ce
                                                                                                                                                                                                                                                                        • Instruction ID: b8aa68fab4dd7a00f3adf6f0b06a490221db0366a0b0e241f50eabb28e0278ad
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5aeb7e63ebcf25c42768ba557ca409d7bb8e7a71427c8e716c0416d4a6edc8ce
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E31A171D09A5D8FDB94EBACE4156FDBBB0FF5A720F40057AD009E3291CA395842C792
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA4040 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f46360a1d817e15b0cb610831156ef6fe462cb493ca132141d73b327a6e19b29
                                                                                                                                                                                                                                                                        • Instruction ID: cd8d889fabb3cae20963c3b37c28a30f4465e6fab35607c1b201a2656380de9f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f46360a1d817e15b0cb610831156ef6fe462cb493ca132141d73b327a6e19b29
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B21283170DC4E4FEBD8E66C64583B9B3C1FBD9661B548676D40EC3289DE25EC428740
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9BB05 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: abc8310ed25ec6f445f113a2e6dc7f8589770a6cee8a5e0b5e26ddf1fb16bd4b
                                                                                                                                                                                                                                                                        • Instruction ID: 96bceb8ad459fac0972e374318e399bd93281d2545cebfd3ba120d6feb619d69
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: abc8310ed25ec6f445f113a2e6dc7f8589770a6cee8a5e0b5e26ddf1fb16bd4b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12412A7090DB8A9FD345AB78881A6D9FBE4FF11360F0447BED41AD7193EE3814528B91
                                                                                                                                                                                                                                                                        Function 00007FF7BFC904F8 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f15d03793f83f92e2957d25fbd2314fa3be2377f377d8d1f6d536c9fa32c3adf
                                                                                                                                                                                                                                                                        • Instruction ID: ee7e3a5942e74789274087f39bce9993e3061345fbb0b707724e5308da451173
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f15d03793f83f92e2957d25fbd2314fa3be2377f377d8d1f6d536c9fa32c3adf
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A416970908A5E8FDB98EB98E4893EDB7B1FF55310F40017AD10DE3295CB3869848B91
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9FD93 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 86d7fe373941672b5fc2a2f861dfe7d9848fbf4d2bddcd4ff4b3a33ca8f57603
                                                                                                                                                                                                                                                                        • Instruction ID: da6c96c756aabb84cda00716ef8ed5d60ceb89b8aab3ba403213aecc1010075f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86d7fe373941672b5fc2a2f861dfe7d9848fbf4d2bddcd4ff4b3a33ca8f57603
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D318D70E54A5D8FEB99EB5CD8897E8F3A1FF58700F5042E9901DD3286CE306A818B50
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9A0FD Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0f175675df670404a03ce899a534f39900f37a38faf8ac4ef5f4e32d93b7ab93
                                                                                                                                                                                                                                                                        • Instruction ID: 333bc17989feb0c4bec0194c01b84d521710b52375e81e2161dde769f1b5523d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f175675df670404a03ce899a534f39900f37a38faf8ac4ef5f4e32d93b7ab93
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB314830A09A499FD785EB7D885DAEABBE4FF55311B4000BAE00EC3152DD349880C751
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA98D8 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ca8acb038b420b7c695e258614828808deb646030910a9ba5b1105624db67bca
                                                                                                                                                                                                                                                                        • Instruction ID: db85d2992f20124765c0f119d98ee380f06ae3f5c51280b42f6ef6fc9b4f66ea
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca8acb038b420b7c695e258614828808deb646030910a9ba5b1105624db67bca
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC318F3150E7C64FC3579B789865291BFF0EF0722071A45EBC489CB0B7E6689C4AC7A1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC909D0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f81cf4d534861c51830520b0045e9337fe048fdca587edccf20390f8b404950a
                                                                                                                                                                                                                                                                        • Instruction ID: b21b2c4d1da28439477046cc5feae90b82af20899ef7e15da2fc68ee4220eab2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f81cf4d534861c51830520b0045e9337fe048fdca587edccf20390f8b404950a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C031F470C0CA899FE742EBBCD8295EDFBE4EF16320F5401B9D049DB196DA385481C7A1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC95201 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f7c36f9f4e23da85f845d9ef944764a2a0cd423d9db60ea8a2a31d4a3829795b
                                                                                                                                                                                                                                                                        • Instruction ID: a8eaec4fe0084e7f82fdc087eed00ae52561b940fa442e6658123c530f960a1f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7c36f9f4e23da85f845d9ef944764a2a0cd423d9db60ea8a2a31d4a3829795b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A31C171D08A4D8FDB45EFA8D85A6EDBBF0FF69310F10457AD009E3291DA34A881CB91
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA7BE8 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 585093939f3083b6bdb9877489adb06c17dae1c7ea26cd4d3e79861121bd7495
                                                                                                                                                                                                                                                                        • Instruction ID: f25776a0e4f006230b631d8d71db1198625878e18e3f597515fd8b3a2757760e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 585093939f3083b6bdb9877489adb06c17dae1c7ea26cd4d3e79861121bd7495
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3621357030AD495FE794E77C68192F5BBD1FFAA71074441AAD44EC7252EE28AC4383E1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC93AA5 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5ce371eaa14b4e613a0671b98a5d4b1c9ca9ab1dacc640388424e378dd65bac8
                                                                                                                                                                                                                                                                        • Instruction ID: e6ea630c9734a781ef37126335661f972ae012223dee3eed03e0f8d3d21ed09c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ce371eaa14b4e613a0671b98a5d4b1c9ca9ab1dacc640388424e378dd65bac8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA31D370D09B899FDB92EBA8D8156EDBBF0FF65310F4441BAD104D7291DB389881CB61
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA2B9D Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f2f656401189b83cdda50a97254c0317a77134c5b416bc7dd0ccb51da46ee09a
                                                                                                                                                                                                                                                                        • Instruction ID: 4fb8319ec7f17b867c4b5fb703469118368aa5b0867a5375b61370942ed2e2f1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2f656401189b83cdda50a97254c0317a77134c5b416bc7dd0ccb51da46ee09a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD219B3270D9914BEB5553BD78592F4BB80DF922A834902FBD14CC6597C9266882C3C4
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9A98A Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f629ab7687cfab5ad7422f93de4d9e9ab582c704946338af17b033e115affc90
                                                                                                                                                                                                                                                                        • Instruction ID: 42d5966f3a29ce37eb98e1c2f52233c7d4d68d0d5c47f9dd1ef4711d696efcc9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f629ab7687cfab5ad7422f93de4d9e9ab582c704946338af17b033e115affc90
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D421E120A0EAC64FE717977894542B9FBA1EF5726171443FBD04ECB1C7DE18A8468392
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9AE30 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b3e47c9667551bcd86a36a15e1cb705a80339fec00f037f7c348ae903e8fbc5d
                                                                                                                                                                                                                                                                        • Instruction ID: 1acd00a5161cb91a1182f37e28196b7fe270cfe13ef9c35e235c2169b4ed1b42
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3e47c9667551bcd86a36a15e1cb705a80339fec00f037f7c348ae903e8fbc5d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9213B31A18E8A4FD79AFB2CD0586B5F3E1FFD5350744867AD04EC768AEE28E8424741
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94F67 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e1ca69e0aaed5bf855c44e79d862980c6f7271096831987f2647ec2803d1b842
                                                                                                                                                                                                                                                                        • Instruction ID: 5475a540c600286c1cf8207e883ea0d63ce7f6e7dc8fd408171d02346bc8a7a2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1ca69e0aaed5bf855c44e79d862980c6f7271096831987f2647ec2803d1b842
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B21D230D5DA8A8FE345EBAC98193F9F3A0FF16700F8085B9D009C7196EF7858808A11
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA54AD Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4db35e8e53f8eb23517b76fbc5b3393f23e45700e3d34c13fa004b0e2e400868
                                                                                                                                                                                                                                                                        • Instruction ID: 32e4a8441a509c6828f85a561af3854446a4b6597ba43f33c08b6e71ed434b73
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4db35e8e53f8eb23517b76fbc5b3393f23e45700e3d34c13fa004b0e2e400868
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40115E31A0DB491FE788E79CA818BB1B7D5FF9632074485BED00DC329ADE19EC428760
                                                                                                                                                                                                                                                                        Function 00007FF7BFC92E38 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 478f2c137e8e4d4849e77b8d4d0417aa4e59f0c103c290ce5ccfb388644c2773
                                                                                                                                                                                                                                                                        • Instruction ID: 33e1ef7b34113ecaab38e7ebd3bdb823594b1423b236ef1e5c56b300d7d93384
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 478f2c137e8e4d4849e77b8d4d0417aa4e59f0c103c290ce5ccfb388644c2773
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C21F771D0C6C98FEB86EF6CA8482E9BBA0FF66711F4441BAD44CC6187DE20A9418751
                                                                                                                                                                                                                                                                        Function 00007FF7BFC989A5 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8b21b3f0bc53601aadb91e5d9fa15a7b9bc81a799dfae0b444444cedc03ad580
                                                                                                                                                                                                                                                                        • Instruction ID: 5c6a8b8bfcae8ed2adf2dd423d5cd17f199dd78121b1b73f304de97e89b89a7f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b21b3f0bc53601aadb91e5d9fa15a7b9bc81a799dfae0b444444cedc03ad580
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D21D33080968E8BE7A5AB68A4046E8F7A0EF53710F94427DD10C971D5EB3999C6C764
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA6D88 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5e2bbd58e60d1cd5b5013a6a5a1cb3aea7abc4e8b67add21bc0ae3b4b8225091
                                                                                                                                                                                                                                                                        • Instruction ID: 9609c8866d2ec3344d41980ed84b9c648d1bd1df7d3dc9c61d6538c848a7b580
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e2bbd58e60d1cd5b5013a6a5a1cb3aea7abc4e8b67add21bc0ae3b4b8225091
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8021382060EAC64FE355B73C98152E5BFD1EF56790B4845F9D048CB2AADD28AC49C352
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB3AB1 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c70efa44413211e4b583c88a90393a1d829d6f218b64bdad08c80c18c3ba6d8a
                                                                                                                                                                                                                                                                        • Instruction ID: dc33739264882faaea77a06353c96e263c66cfe66bcee5d1d5e574203b6692a0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c70efa44413211e4b583c88a90393a1d829d6f218b64bdad08c80c18c3ba6d8a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1921903030DD4C8FC794DB6CD8A86A4BBE1FF9931471942EAE04DC7262CA20EC51C741
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA6015 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ec01a4bc8e5e6afc1598a405946a0df4019323ddd21af70acf6b53e3ede4cefa
                                                                                                                                                                                                                                                                        • Instruction ID: f2339efd1235390a3c4139917930600e393c295bc4641b802d4e18f30b0491b5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec01a4bc8e5e6afc1598a405946a0df4019323ddd21af70acf6b53e3ede4cefa
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1121D12060DB468FCB99EB3C8454EA1BBE1FF6530035586F9D009CB1B6DE24EC95C791
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 91706099127c1a904441b3a9677f1c9b0051327d0d8826b060816f23da93999e
                                                                                                                                                                                                                                                                        • Instruction ID: 62a41c5eece322872836de5bbc1e6b7407881c8bde78f21795d2dddbd76a1b9f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91706099127c1a904441b3a9677f1c9b0051327d0d8826b060816f23da93999e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42219A3188E3C54FD3135BB068165E6BF78AF03611F4A81E7D088DB4A3D52E5A9AC372
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9A015 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b9b7249955b39c770ad3d7425b7d370fcfe68addcf0b8b70f4485c4d6f540a43
                                                                                                                                                                                                                                                                        • Instruction ID: d02101522fc44fd2ed5edc82aba8d02c81435d2b80d132378e49e998498eb6d1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9b7249955b39c770ad3d7425b7d370fcfe68addcf0b8b70f4485c4d6f540a43
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4321B030518B898FD744EB28D84A7A6F7E5FBA9710F00467EE44EC3255DF34E9818782
                                                                                                                                                                                                                                                                        Function 00007FF7BFEAC880 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1eb91b6c2cbc57c9ff4c4645ab23641aefdd9f70801c6609cebd0333086466a3
                                                                                                                                                                                                                                                                        • Instruction ID: db011468f1e0fa710fa1a4a0282fcb7d49b3be04e430c782737e798a2c7447b4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1eb91b6c2cbc57c9ff4c4645ab23641aefdd9f70801c6609cebd0333086466a3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F721223050AA485FD754FBAC8849AF2B7E0FF96310F4005F8D009CB1A6DA39EC80C3A0
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA5E30 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8220008a4ec20ad530e821231f2a2423cb89f5a9d32aa3bcce63a3485ddda6da
                                                                                                                                                                                                                                                                        • Instruction ID: 2f9992b220769f763b0500bff161bf5d14828127606200899c80fa0ffc880693
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8220008a4ec20ad530e821231f2a2423cb89f5a9d32aa3bcce63a3485ddda6da
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A11E532719C0A0FABD8E65CB0583B9B3D2EBE82657544A3BD40EC3299DD24EC434780
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA6100 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 400d40987193e6cfb75b0e5ff541737862c82a96250112ed81491887456b69f0
                                                                                                                                                                                                                                                                        • Instruction ID: cca11142af586f4d8c76e868447f633b1c16db545462d6a0e93bd758e12ea20e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 400d40987193e6cfb75b0e5ff541737862c82a96250112ed81491887456b69f0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9911403170AC594FDA959AAE3C982A0BBC1EF9961535501FBEA0CC326BCD21AC818381
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9CD70 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 152d9634150ed9958f1b190c06e6edc816f176313e25c6fb9563d84e34337212
                                                                                                                                                                                                                                                                        • Instruction ID: 82a0df606b0db6b13ed947315b5f640eed94b2e026e476b93619b4d91cb3e38b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 152d9634150ed9958f1b190c06e6edc816f176313e25c6fb9563d84e34337212
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7811D83091CF898FD719AB29945A6B6B7E0FB69715F40053EE18FC3555CE24B481C782
                                                                                                                                                                                                                                                                        Function 00007FF7BFC90C58 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a9757c34b5475861e33eb9c4fa161eaafee7561962642ecd82f189db3d9dce05
                                                                                                                                                                                                                                                                        • Instruction ID: 5517e2b2fb79ebe366ea8b087ee9cd6bc7ec2cdebd04f81b09c4f1d3955151d2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a9757c34b5475861e33eb9c4fa161eaafee7561962642ecd82f189db3d9dce05
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F213A72809A968FD355B73898161EABB90EF52360F0102BED00ADB1D6DF386844C791
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA8423 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3be6e376f0f7f857df0cf57f19a0af62622579c1758b44c95317a3d746572ec8
                                                                                                                                                                                                                                                                        • Instruction ID: 62f28e3c00605cbc5c7ab8a6c0d6c5c9de170cc7303b53b0c1912f3b6cdf1525
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3be6e376f0f7f857df0cf57f19a0af62622579c1758b44c95317a3d746572ec8
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF01927234D90C8FA688FB1CB8466B4B3D1EB5A23131046ABD14EC7A66DA12EC538785
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA2A3D Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6a2db243455efa0ba5fc1322c76617c36e810521c1d760839179bf592454ba52
                                                                                                                                                                                                                                                                        • Instruction ID: 3f1d34de6326f5cc4e1326785d9e0965b6a81778a6e91cb4502f4c6d2181c42c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a2db243455efa0ba5fc1322c76617c36e810521c1d760839179bf592454ba52
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3011D030609E0A8FDB99EB6CD454EA0B3D1FF6531035585B8D40ACB2AADE25ECD2C794
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9BE16 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 77b7b77b0ef7be37b59ecf9ca28228f9ed575edab5b75fa242ced1a9193805ed
                                                                                                                                                                                                                                                                        • Instruction ID: 646315808fdcb429b78a02e17b050f530a3c5ec161c580f80fa373e44f040cfe
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77b7b77b0ef7be37b59ecf9ca28228f9ed575edab5b75fa242ced1a9193805ed
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8611E771609D8A4FD386A73984487F5F7E5EF9A355B0443ABD00EC3253DE28A847C791
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA38CC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 53a569512c8cd1966bd7b1bbe3ac4df5c3a3a75b751b93a9705a32864512444b
                                                                                                                                                                                                                                                                        • Instruction ID: 69514dc238932b77065aaef8b7fbc77ccc5369b7afd7115bc589f51f6e40b4a4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53a569512c8cd1966bd7b1bbe3ac4df5c3a3a75b751b93a9705a32864512444b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F11C820B49C494FE5E4EA5CA098BB4A3D1EFA9760B5405BAD10DC7259D915FC818750
                                                                                                                                                                                                                                                                        Function 00007FF7BFEA4670 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0a08fd81a15aa356a31bb96e3c9cd4085a667fe7a654bbea77c2f75961afdaad
                                                                                                                                                                                                                                                                        • Instruction ID: 1000bb759c18d38f18867d2e8c34be46345cef1320c09164961d7b1a8e5e1b15
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a08fd81a15aa356a31bb96e3c9cd4085a667fe7a654bbea77c2f75961afdaad
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00110630709C194FD6A5FB5C905CABAB3D1FFE9B00B850079E14EC32A6DE25AC818760
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9CEAE Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1f37f777de7417f2252e8fee867a3673f2e46608064ffb2ec63fb1674108055f
                                                                                                                                                                                                                                                                        • Instruction ID: e89afb489423257ee9fbc7ccd53b5a503e49042d90db6bac66c20229372f4cee
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f37f777de7417f2252e8fee867a3673f2e46608064ffb2ec63fb1674108055f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3112D30B199199FCA58EB5CF4596ACB7E1FF9971174041AAE04AC325BDE20AC4287C1
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA532A Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 553b3ef2f6a6f2a0fec6fbe629bc96aea5816f8e80861db1bcc61ebbc728d001
                                                                                                                                                                                                                                                                        • Instruction ID: 1fa6c33e4eeda79115152ff928488e0b8bdb99cdaae11d3d853e72e646a0ab99
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 553b3ef2f6a6f2a0fec6fbe629bc96aea5816f8e80861db1bcc61ebbc728d001
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF01617130ED0A9FDB98D75DA0643A5B391FBD87653108A6ED00EC7248CE21FC5A8790
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB4425 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f3dea5c4f0f28731808a9fcd0eeaefc94c3f1a75678d9034ad758d1e8a1c4ea9
                                                                                                                                                                                                                                                                        • Instruction ID: 924f5d866cb1af8f75f92e762f753ab9e8dc15c6d69bb42acd90db2083088a7f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3dea5c4f0f28731808a9fcd0eeaefc94c3f1a75678d9034ad758d1e8a1c4ea9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81012B3060CE5D8FDF54F61DD484EB473D0EF6931574504E6D08ACB2A6DA18EDC287A0
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9748A Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 657316c9421cf44bf1913dd706aa9e183d978df29dbb23a2b93e640cdc26274d
                                                                                                                                                                                                                                                                        • Instruction ID: 755beb4e88d023d0bb03a1383ed70e3274c06b35047ea0a03f36752eb25eb69b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 657316c9421cf44bf1913dd706aa9e183d978df29dbb23a2b93e640cdc26274d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F11E631D0995D8EDB99EF9C94556ECB7B1FF66300F9051BAC10DE3246DA3059808B00
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94DCE Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0ae1b02fd2637a66d8bb90ad0cba271b1996a8a9877d577515341968ac173396
                                                                                                                                                                                                                                                                        • Instruction ID: e02ecf5173015b4b4c8a6f54553fd832cf18cb6535fe94752ee01113ee6783c8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ae1b02fd2637a66d8bb90ad0cba271b1996a8a9877d577515341968ac173396
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D113A70D09A498FEB95EB68E8557ECB7B1FF55710F4081B9C04DE3295CE386882CB01
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9A680 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 12af0927fa1cf4be75ac77c8d17c0a889f6aaa5a2d7105ba9c8c1088c1156bf7
                                                                                                                                                                                                                                                                        • Instruction ID: 1e808b7ddb458670400d0688b728749ab64f3670e2aded0ffe9a51a27761b8d5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12af0927fa1cf4be75ac77c8d17c0a889f6aaa5a2d7105ba9c8c1088c1156bf7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB01A93070884D4FD6D4E65DA8487B6F3D5FB99721F40427AE50CC3256ED25EC518391
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA40B8 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: eb1436a873b3048c451daccce44b06ec98e35493066f1625b55c0eed5d81d69b
                                                                                                                                                                                                                                                                        • Instruction ID: fb0a017dad52b7648148fe249def9c19b6a786d0c4b007a223ae4b71960e4d5b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb1436a873b3048c451daccce44b06ec98e35493066f1625b55c0eed5d81d69b
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5012642B0D8865FE256B6BD38AD2F5EF90EF6653074442BBE00DC31ABDD182955C394
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB47E0 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 97bf6857f88ded0c6925d4bb7c21ebb17ee064d14baf052a1c3588e5f69d46cd
                                                                                                                                                                                                                                                                        • Instruction ID: 98bdfa5c39d0cd7437bca02cd28d4d1e3735ecf943f022b1e72fd01c3122c065
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 97bf6857f88ded0c6925d4bb7c21ebb17ee064d14baf052a1c3588e5f69d46cd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55014421718D8E4FAB98FF5DA4416B5B3D1FFA8254750437AE40EC314ADE35F9428781
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA79C1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 3e423aa2e3a13b5158cd33849900225cf13e7d3e6ab5ebf58577a0bdd3f083f1
                                                                                                                                                                                                                                                                        • Instruction ID: e987ecf04d0c3c351649020cb31860fe8d34caa145fdd3f7660908413b4f020a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e423aa2e3a13b5158cd33849900225cf13e7d3e6ab5ebf58577a0bdd3f083f1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37F0503170D9880FE354A52CAC4D9B27FD4EF6A23235501FFE448C7177E9029C428354
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA2D68 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5043ff90547595aa92771ae60e40c840b3772156fa50bc360f1235ea8a55b0c7
                                                                                                                                                                                                                                                                        • Instruction ID: 3e0f0e8e6cb0f18a5204aeb9351bf24e3f5e31f373722c530fb5164d08f0377b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5043ff90547595aa92771ae60e40c840b3772156fa50bc360f1235ea8a55b0c7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3801D230909B488FE794EB2CA4096AABBD1EFA5714F44497ED48DC3368DA38A4818741
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9CCB7 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 376a58e3a9fe7bbce93fad4df8e11bb2bddf73ac82a787f00fda4cdd0669074c
                                                                                                                                                                                                                                                                        • Instruction ID: 70f41c63f2b5be67088eab80b7bb3b55790382f9f4a5a68b56c54ba287d2593e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 376a58e3a9fe7bbce93fad4df8e11bb2bddf73ac82a787f00fda4cdd0669074c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3001F121528F868AD355B338A0097E2B3E1FF91314F80856ED08EC3287EEB874848392
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: c667ca817d23aa906a0600842e4230aa13a726aa76ae0b63456d8124ac333d4a
                                                                                                                                                                                                                                                                        • Instruction ID: e9fe06405290331fb74b1c66b2a415944f275c0f6e93374848a6954ea669f0d9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c667ca817d23aa906a0600842e4230aa13a726aa76ae0b63456d8124ac333d4a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DF0CD36D48A4C8BEB21AE98B4042F8F7B4FB93754F40203AC10CA3140E73A9995CB58
                                                                                                                                                                                                                                                                        Function 00007FF7BFC98A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f4a76e89d087e8057814ed1ac1f617b032e3c5a8dc95500b1a4df0fb48b4304a
                                                                                                                                                                                                                                                                        • Instruction ID: a32ad750d9b79419626235f42415387aed36ecdbe4dfa15d701c1eb08f24d893
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4a76e89d087e8057814ed1ac1f617b032e3c5a8dc95500b1a4df0fb48b4304a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDF0F635D4954D4BD721AF98F4002F9F7B4EB53750F80103AC10CA3180EB3A99D5C758
                                                                                                                                                                                                                                                                        Function 00007FF7BFEB2AA2 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: fce8951801ff1d1936960441aa97075c691c5fa2334196ffb31ed3fad2d7f6b3
                                                                                                                                                                                                                                                                        • Instruction ID: 6161f074444804e5b6f908d1d39f7c8d4578cf05c5413de4145ba55875dc5ccc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fce8951801ff1d1936960441aa97075c691c5fa2334196ffb31ed3fad2d7f6b3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03016231F1891D4FAB94FB9CA4952FCB3A1EFAC751B800136D50DE328ACE286C4243A0
                                                                                                                                                                                                                                                                        Function 00007FF7BFC99D55 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 85c51d1506b052630b1ead4a840e7db4e1bb7bca8ef9be2db639ddf8c69cf527
                                                                                                                                                                                                                                                                        • Instruction ID: 526b89b7c108cae9fb33a4432a87eec4292ab6a98c5f214feea560346e753914
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85c51d1506b052630b1ead4a840e7db4e1bb7bca8ef9be2db639ddf8c69cf527
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5FF0F92190D7C90FE3A6767C18660D9BFD1DF1662079980FAD544CB197FD6C4C8283A2
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94B89 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e3f2a06647afc9751d6094f46baae656b76b8ae874d91b7731d3aa7c8dd60041
                                                                                                                                                                                                                                                                        • Instruction ID: 759e9fa2c52369c39013dbb2e27791816d4f10ac0541daf6ffa187d9cbc4c5f8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3f2a06647afc9751d6094f46baae656b76b8ae874d91b7731d3aa7c8dd60041
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B001FE7080DB8DAFD346AB7898191E9BBB4FF56210F4146F7D01DC70A2DE382954C752
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9AF99 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 0ce39a1bf52c63bf6d368236614eacef8482662f09accbbd789d487601b9de3e
                                                                                                                                                                                                                                                                        • Instruction ID: 644f8725125d2089b0dee6f08e559444b70e0c0ac7b5ecab50364896262412f7
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ce39a1bf52c63bf6d368236614eacef8482662f09accbbd789d487601b9de3e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1F08C30918B8E4FDB46EB6888181F9BBB0FF55200F4405BBD45DC32A2DA385914C741
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9D988 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: af41efafaf467b60ae887584c6720863b45b90739e7695bfd012b6b57a80d6ac
                                                                                                                                                                                                                                                                        • Instruction ID: af035d354e86f5f85b953559dfc173b80b07c3866014d0bfce4c52cdffb1bc9a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af41efafaf467b60ae887584c6720863b45b90739e7695bfd012b6b57a80d6ac
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FDF0C27040DB848FD746AB2C9859894BFE0EF66310B4985FED44CCB1B6DA798885C706
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA0F12 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 358e7bc9188a0f715860fe9e9a514dd97669046d796b8803b4940fbc665b1805
                                                                                                                                                                                                                                                                        • Instruction ID: d3eb130b087a46fd7b71ecb56b8119e95e10bb9b6b0a17b4a37dc95bf156043c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 358e7bc9188a0f715860fe9e9a514dd97669046d796b8803b4940fbc665b1805
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2AF04C2040D6CA0FD356A77C98085E1BBE0EF57310B8805F7D548CB29BDE1CB8C483A1
                                                                                                                                                                                                                                                                        Function 00007FF7BFC99E95 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a7ef101aa41b50d1502db34ef89814546f823e2540f6c3eb57fd55a5c38e34f6
                                                                                                                                                                                                                                                                        • Instruction ID: c0fb195c5d4188d81d3a93caee19021a8a1f2c3d2a2c5c4031aa96a31b9fb3b8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7ef101aa41b50d1502db34ef89814546f823e2540f6c3eb57fd55a5c38e34f6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3CF0AE11E0EDD60FD357A36C28A91E4ABD1DFD662038801F7D549C759BFD4C589243E2
                                                                                                                                                                                                                                                                        Function 00007FF7BFC94B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 2961190ed005238a4eb8fef420c350ac14190a9017ff5b1730268c1314ce507e
                                                                                                                                                                                                                                                                        • Instruction ID: 26574a670efc0a0d24725429213427a9f64b4150179eace392c4bec2e225c7c5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2961190ed005238a4eb8fef420c350ac14190a9017ff5b1730268c1314ce507e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2601A230809ACE8FDB85EF28D8592E9BBA1FF66300F414579E40C87286DA79E990C751
                                                                                                                                                                                                                                                                        Function 00007FF7BFEAC475 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558905175.00007FF7BFEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEA0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfea0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: b6db72baf54293c16e562b464499df78dc2a61f95fe601298cf442409ecf1127
                                                                                                                                                                                                                                                                        • Instruction ID: 4848cd0daa7d593eea8234649ef49312a1a03a42770724e9332a949c436728e9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6db72baf54293c16e562b464499df78dc2a61f95fe601298cf442409ecf1127
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7F0C87061AE469FE79AEB7C801A6B9B3D1FF91704B5055BCE00BC3195DE38E8418750
                                                                                                                                                                                                                                                                        Function 00007FF7BFC93E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 046fb5d1a02d9c2f0efa566224013a8fd0bc93b8017a3ef3eedc736b603d3488
                                                                                                                                                                                                                                                                        • Instruction ID: 1243162b2a88e0f168b72b0c307c8448ba37e45f40c5721f745ecfb0bc4fd587
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 046fb5d1a02d9c2f0efa566224013a8fd0bc93b8017a3ef3eedc736b603d3488
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1FF08C31C4464C8BD710AEA9A0043F9F7B8EB8B305F80507AD40CA2180D37A95A5CB24
                                                                                                                                                                                                                                                                        Function 00007FF7BFC95038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4aab073f73e9e45a7a9d273f2fe0e3e7d4448f055d241bd51639022c32b5c1c3
                                                                                                                                                                                                                                                                        • Instruction ID: 7147b3d66c6ede76282960705d6b8699aa09b069bb715176689fdf3c9901b8b4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4aab073f73e9e45a7a9d273f2fe0e3e7d4448f055d241bd51639022c32b5c1c3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74F01D31E0896D8FDB94EA58A8547ECB3B1FB56260F4055B5D14DE3141DE356C418B41
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA4F35 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: f0df4537478a5e2b161437e0427855f7ea7948c0ece65b7d604de79c52108953
                                                                                                                                                                                                                                                                        • Instruction ID: f199c953be4a39dcf428937604d687e3a24db51db544d553a8ac0dc4c1c96186
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0df4537478a5e2b161437e0427855f7ea7948c0ece65b7d604de79c52108953
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6F05931809A8A0FD355E76CA84C5E0B7D0FF15300B8405BAD408CB2EFDE28F8D08760
                                                                                                                                                                                                                                                                        Function 00007FF7BFC98691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 313e8958f7c31d2ca2d8a6e7c68873ee92c5985088c0f75e558dce6fc81d89b7
                                                                                                                                                                                                                                                                        • Instruction ID: 8196539ebdcaf8bb9a51d119686d4872ec3513d16f7a61f9d4c1167a750d02a0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 313e8958f7c31d2ca2d8a6e7c68873ee92c5985088c0f75e558dce6fc81d89b7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4F0A031C4460D8FC714AEA8E4443FDF2B4FB0B205F802139D10CA7180D7BA96D4CB54
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA32E5 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 9e59ad0dd6544892a8bab5420950d71dc1f5271f1f47027e6c3f6bc9ff9b82bd
                                                                                                                                                                                                                                                                        • Instruction ID: 8331e93ccfd7ea6cba026e1f96942515d05ec7fb4f60719f5170557112e9eff1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e59ad0dd6544892a8bab5420950d71dc1f5271f1f47027e6c3f6bc9ff9b82bd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1BF02730715D991BCA58B72C6059BFAB3D1EF95710F800929D44EC329EDE25B892C381
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA8FC4 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a3efdcca5d29a12a61e5872c173643733e8c05cae9bf3939b7e0e846adbb9b67
                                                                                                                                                                                                                                                                        • Instruction ID: 50ac0250cf7798c5f69c9a07420d1515c37cbcbda4b853b6f30bcafc0c39acdf
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a3efdcca5d29a12a61e5872c173643733e8c05cae9bf3939b7e0e846adbb9b67
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 96F0B431A4A98D8FD690DA5CE488BA5B3E2FBE5710F8406A4C14CCB689C635AC458781
                                                                                                                                                                                                                                                                        Function 00007FF7BFC980DD Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4efdddaa1a49e70b02af3f5764f514e767aff78d735e174177b28349a36a7e08
                                                                                                                                                                                                                                                                        • Instruction ID: 995eb7f14d84ebf43f8455b4fba4f2ac1355d1620001c76baf9897a8610c7bca
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4efdddaa1a49e70b02af3f5764f514e767aff78d735e174177b28349a36a7e08
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34F0B47094864D8FD7E5AA3C94153EAB2D0EB05700F4044BF900DE3285DF394984CA51
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9BC4A Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1e3e242131f235326376e099e855e61e5cf257c1668a66cc1999199e9fc92d7a
                                                                                                                                                                                                                                                                        • Instruction ID: c96340cb7c7515399fc039c4fdeb6c3bfc8be1ce5de535f6de913442190f106f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e3e242131f235326376e099e855e61e5cf257c1668a66cc1999199e9fc92d7a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8CF0FE74A15A09EFDB89F79CD895AECB3B2FF88750F804164E04DE3242CF296841CB55
                                                                                                                                                                                                                                                                        Function 00007FF7BFC99D15 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: bbe6805ac920d35fbdd04b1a3fd982aa6e72d5cda07a7ebc476c1df345cfefa7
                                                                                                                                                                                                                                                                        • Instruction ID: 7e6a9eb2f146c1777bd79a470c549f54a635d9d526e8ee9e569155d58c94b780
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bbe6805ac920d35fbdd04b1a3fd982aa6e72d5cda07a7ebc476c1df345cfefa7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EBE0680160DAD50BE32AE37C28990A4FFD19F4310038895FDC144429CAE898BC91C3D2
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9806E Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 16bb63cb649657e256cdf6a21a1f8534283eb2ff8ad910565d00b57412d41e35
                                                                                                                                                                                                                                                                        • Instruction ID: dc105f8aa4c303d8d46a98960f879cca27996a605f26b53594eba74b13a3090b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16bb63cb649657e256cdf6a21a1f8534283eb2ff8ad910565d00b57412d41e35
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44E0C931D0481D8EDB54EB68E8417ECB771FF55261F5002B5D15DE3192CA3969818B40
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9AF5E Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: ea137c1a6cb39b5df2962237244ebaa76ff1992bf238be6340692867c1ea7359
                                                                                                                                                                                                                                                                        • Instruction ID: ebbfcbafc4a685b4b22c2764285da14cfa2800feabc6ca4f4f15ac39f0335430
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea137c1a6cb39b5df2962237244ebaa76ff1992bf238be6340692867c1ea7359
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83E04F60C0EA864FE7466B748509590BEA0AF46210F8D81E6D14CC6167E65DD8458752
                                                                                                                                                                                                                                                                        Function 00007FF7BFE10223 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2558252173.00007FF7BFE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFE10000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfe10000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 302937e0a73daff4eb4a10eceedef8cec6de470c67f4aecac570171f22e5d45a
                                                                                                                                                                                                                                                                        • Instruction ID: d6d52ea8e91803ea59a847ceb7765c108ad72d49c3297ab1009fb1ca071e7cd6
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 302937e0a73daff4eb4a10eceedef8cec6de470c67f4aecac570171f22e5d45a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12E0E531D0888E8BEF84EF98D4456EDBBB1EBA8610FA44676D51DC3185DA3469818B81
                                                                                                                                                                                                                                                                        Function 00007FF7BFCAEE20 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 63e57b24af4ff48f97c4dedee6aa9fb7686611a3295788c627d44e3e79726a42
                                                                                                                                                                                                                                                                        • Instruction ID: c5c80f577884ed9e2abb97cd930f1b46e3aabfa83d78d109e8c179bafae85a5c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63e57b24af4ff48f97c4dedee6aa9fb7686611a3295788c627d44e3e79726a42
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1FE04F2040F7895FCB82BB7C442B0C87B909E0674070588F9C0498B0A6E51D088D8322
                                                                                                                                                                                                                                                                        Function 00007FF7BFCA29A3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 73570fdef997bb93f36dafdaa99ff7485476616b57afd44b5de21ae7ffefc7b3
                                                                                                                                                                                                                                                                        • Instruction ID: 4dad54eebafc1a8a67de4a76cba3a00745b53cc4d39ca1d77f684097e038a58f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73570fdef997bb93f36dafdaa99ff7485476616b57afd44b5de21ae7ffefc7b3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CDD05E301096404FCB68AB68A080980B790FF1221435509E8E0144B1A3C52AEC82CB05
                                                                                                                                                                                                                                                                        Function 00007FF7BFC9AB00 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 810af8ffac6af7defad14282198ffd0370f4c21ef4501a962d15711c796f9a38
                                                                                                                                                                                                                                                                        • Instruction ID: 7ca63afe8265ec623e3e78c0b272be99328dc826e7fa10c3f193cf1a0244a0cc
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 810af8ffac6af7defad14282198ffd0370f4c21ef4501a962d15711c796f9a38
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3CC08C608249094AD618B72C4541054B290FF08200FC006F4E04DC2244E62C94808745
                                                                                                                                                                                                                                                                        Function 00007FF7BFC95D2A Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 5b162a19320b795f97f0bb977dc321b08b65c3f859e136de7a4dc4679d67b256
                                                                                                                                                                                                                                                                        • Instruction ID: a747bed9dbc70fa99df48e497674fa6df9f362a5001cb4019011c2929163c9c1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b162a19320b795f97f0bb977dc321b08b65c3f859e136de7a4dc4679d67b256
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5C09B72D48D5D4FF7C9DB5C958C2EC67F1F764614B405525C00DD3544DE3058414741
                                                                                                                                                                                                                                                                        Function 00007FF7BFC981AE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 0000000F.00000002.2556571174.00007FF7BFC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFC90000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_15_2_7ff7bfc90000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7c5ed99dff1d8611c6b069f6ac3fa79adb06bf076409e52607630c7af814f3ee
                                                                                                                                                                                                                                                                        • Instruction ID: a8e845847cdecb5150b534e0c92e2d8f9420398ca1d290226791bc7950dd058e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c5ed99dff1d8611c6b069f6ac3fa79adb06bf076409e52607630c7af814f3ee
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16C02B3050130CCFC3C39A78083D38875E08B10100B0440FF404DD71D0C9340CCB8720